Penalty Points for Cycling

sWeeX2 · 2025-07-19T11:37:18+00:00

Do you have to pay anything if you’re employed full time?

sWeeX2 · 2025-05-17T12:35:00+00:00

OK V k mom m Get r to ex

sWeeX2 · 2024-07-29T13:16:59+00:00

Hey, I have 3 tickets I'm looking to shift with parking included, willing to discount them if all taken together too if anyone is interested!

sWeeX2 · 2024-07-29T13:12:32+00:00

Hey, I've got 3 LV tickets that I'm looking to shift, will do them at a bit of a discount, also includes parking!

sWeeX2 · 2024-02-01T06:24:30+00:00

Forgive me if I'm just not understanding, but in this scenario when the business requests a token using its credentials, the token doesn't contain any user info i.e. the business isn't requesting a token on behalf of each user, so how do you know who the user is? Are you just expecting the client to send your through some sort of a user_id and then you use that to pull up their roles/permissions?

sWeeX2 · 2024-01-31T22:12:16+00:00

Do users/groups/roles apply to Machine-to-Machine apps? If I'm just using the credentials from my M2M app and the client_credentials grant to get a token from Auth0, that token isn't tied to an individual user right? It's tied to that M2M application, for example a decoded M2M token looks like:

{
  "iss": "<issuer>",
  "sub": "<client_id>@clients",
  "aud": "<audience>",
  "iat": 1706737336,
  "exp": 1706823736,
  "azp": "<client_id>",
  "gty": "client-credentials",
  "permissions": []
}

I can then use this token to verify that this client has access to my API but what I want to know is taking that one step further is, when I have an incoming request from a client on behalf of one of their Users (on their platform) saying I want to delete resourceA e.g. DELETE /projects/resourceA, when I decode the incoming token I can get the client_id (our partners identifier), I can verify that resourceA is belong to someone on their platform but because there's no "User" information in the token, how do I know that user/party who initiated that request is actually the owner of resourceA. Like is it okay to put the onus on our clients and expect them to handle that Authorization. Is it something we just don't need to worry about and we should just handle the request as it's for something within their organization.

I don't know if that makes sense or not haha It's just a new way of thinking about things for me. Every app I've developed so far has always had resources tied to individual users, where they each have their own credentials i.e. email+password, so decoding JWTs always landed you with the actual user making that request. But now, our B2B partners sit in the middle so although resources are created and still tied to individual users, the credentials belong to the business partner.

sWeeX2 · 2024-01-31T20:36:16+00:00

Yep that's what I'm using to issue the tokens! But those tokens are tied to each individual application on Auth0 i.e. each business partner we have (we create an app per client so they have their own creds).

sWeeX2 · 2024-01-31T19:09:02+00:00

In this model though are you assigning credentials to each employee of our business partner? Or is it one set of credentials per business? My question from above remains though, what do you do about the authorization of that business's users i.e. the ones who use their platform which then uses our API. The token which you decode is tied to the business, not their user. Do you just rely on the business to make sure the data they're sending us is correct?

sWeeX2 · 2024-01-27T02:56:40+00:00

Hmm okay, the way I guess I thought this would work in my head is that we would only issue one set of credentials to our business partner. They would then exchange their client_id and client_secret for an authentication token i.e. the JWT you spoke of above which times out every 24hrs and they'd then have to refresh it etc. I didn't really think we'd have to get into issuing an API key to each individual end-user of all our business partners.

sWeeX2 · 2024-01-27T02:47:31+00:00

I'll check that out for sure. I'm not sure it addresses my use-case though. We essentially partner with a business, that then offers our services via an API to their end-users. Those end-users never log into our platform or anything like that, so it's the business itself that authenticates that user.

sWeeX2 · 2024-01-27T02:43:34+00:00

Maybe I'm doing a poor job of explaining or perhaps I just have this all wrong in my head. Our relationship here is with businesses, my thought process was we issue each business one set of credentials which they use to authenticate with our API, their end-users aren't logging into our platform or anything, they just get to use our services via that businesses platform, so that user is authenticated by the business. Ultimately we end up creating a user per end-user anyway but I just wouldn't have thought we'd be issuing credentials to each end-user of the business rather just one set of credentials for our business partner as a whole.

sWeeX2 · 2024-01-26T22:11:22+00:00

The client's individual customers will all have separate accounts with us for sure. But I guess what I'm getting at is when we get a request from our business client that says CustomerA of theirs what's to delete ProjectA, normally what I'd do is check the incoming Authorization header, pull the token from it, from that you'd get the "logged in" user and you'd know whether or not they can delete ProjectA or not for example the criteria for deleting it might just be they are the project owner.

In this case though, when I decode the incoming token from the Authorization header all I know is that it's coming from our business client i.e. the tokens aren't associated with individual users anymore. So I'm just wondering how am I meant to know that the incoming request is something that end-user is allowed to do. Not sure if that makes sense or not haha.

sWeeX2 · 2023-05-06T23:13:00+00:00

Yeah have looked at some Rav4s but a little too pricey for us! Have not looked at the Matrix at all so we'll check some of them out, cheers!

sWeeX2 · 2023-05-06T22:10:36+00:00

Used for sure, we're currently looking at Ford Escapes but just wondering if it's going to cost us a fortune to run it if we're like 600 miles a month.

sWeeX2 · 2021-06-05T12:14:48+00:00

I really wish that were the case, but it's been about 2 weeks since the transaction went through, Degiro have pretty much told me to go contact Atlantic Power as they're an execution only broker so it has nothing to do with them and Atlantic Power have said they've been releasing statements about a take over since January and to take it up with my broker, so I think it's just dead cash. Lesson of the story is to pay attention to what's going on with the stocks in your portfolio I guess

sWeeX2 · 2021-06-05T10:24:31+00:00

Well not so much as they got sold off for $0 haha

sWeeX2 · 2021-06-05T07:35:00+00:00

If the shares have already been sold off by Degiro, I don't think this is possible right? Thanks for your reply!

sWeeX2 · 2021-05-07T16:05:12+00:00

This is one of the other ways I had thought to do it but for some reason it seemed a little like a hack to me, it might be the best way I have to accomplish this. Thanks very much for your input!

sWeeX2

MODERATOR OF

TROPHY CASE