Add MFA capability and permission #79
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR is a proposal to add a capability `/mfa-enforcing` as well as a permission `mfa-enforced` to the specification. The version of the specification is bumped to 1.2.0. If an OCM provider has the capability `/mfa-enforcing` it will respond with a boolean on the endpoint /mfa-enforcing to indicate whether or not it will try to comply with a MFA requirement set as a permission on a share. If the sharer OCM provider trusts the sharee OCM provider the sharer MAY set the permission `mfa-enforced` on a share. A complient OCM provider that signals mfa-enforcing `true` MUST not allow access to a resource to a user that has not provided a second factor to establish the identity of the user with greater confidence. Since there is no way to guarantee that the sharee OCM provider will actually enforce the MFA requirement, it is up to the sharer OCM provider to establish a trust with the OCM sharee provider such that it is reasonable to assume that the sharee OCM provider will honor the MFA requirement. This establishment of trust will inevitably be implementation dependent, and can be done for example using a pre approved allow list of trusted OCM providers. The procedure of establishing trust is out of scope for this specification.
glpatcern
reviewed
Jan 12, 2024
This patch adds information about MFA to the readme-file and renames `mfa-enforcing` to `mfa-capable`. The respons is simplified from a boolean response on the endpoint to an empty HTTP 200 OK response. Version is reset to 1.1.0
mickenordin
changed the title
glpatcern
approved these changes
Jan 16, 2024
There was a problem hiding this comment.
Looks good! @smesterheide and/or @michielbdejong any further thoughts?
|
I remember that |
|
Does it look like you expected now @glpatcern? I am not sure I did the right thing when merging your changes... |
|
Yes, I think this is OK (modulo one spurious thing easy to fix). For the discovery endpoint, that's something that was discussed in #37 (comment) and at the time it was decided NOT to go to |
glpatcern
approved these changes
Mar 18, 2024
Co-authored-by: Giuseppe Lo Presti <giuseppe.lopresti@cern.ch>
Co-authored-by: Giuseppe Lo Presti <giuseppe.lopresti@cern.ch>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a proposal to add a capability
/mfa-enforcingas well as a permissionmfa-enforcedto the specification. The version of the specification is bumped to 1.2.0.If an OCM provider has the capability
/mfa-enforcingit will respond with a boolean on the endpoint /mfa-enforcing to indicate whether or not it will try to comply with a MFA requirement set as a permission on a share. If the sharer OCM provider trusts the sharee OCM provider the sharer MAY set the permissionmfa-enforcedon a share.A complient OCM provider that signals mfa-enforcing
trueMUST not allow access to a resource to a user that has not provided a second factor to establish the identity of the user with greater confidence.Since there is no way to guarantee that the sharee OCM provider will actually enforce the MFA requirement, it is up to the sharer OCM provider to establish a trust with the OCM sharee provider such that it is reasonable to assume that the sharee OCM provider will honor the MFA requirement. This establishment of trust will inevitably be implementation dependent, and can be done for example using a pre approved allow list of trusted OCM providers. The procedure of establishing trust is out of scope for this specification.