-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unify specification of securitySchemes
, security
and scopes
#53
Comments
Hi @jlurien, |
Gathering main comments so far, raised during Commonalities 24/AGO meeting:
Please, @bigludo7, @eric-murray do not hesitate to add/clarify any topic you may consider of relevance |
If the endpoint represents a resource with several CRUD operations, I would add the CRUD action, but if it is a path with single operation and it is not expected to have more operations on it, I think that the CRUD action is not necessary. For the example,
I think we don't still have those use cases. but if needed we may apply a further level to the scope, such as For the example, But this is something to discuss separately if needed. We may also think in the use of wildcards or other syntax. |
Thanks @jlurien - I'm fine with this 2 added supplement. |
About the use of openIdConnect for securitySchemes, is there any concern? |
I will create a new PR to modify guidelines with this new proposal |
To all participants in commonalities call: In addition to this issue please provide your feedback on the below issue as well camaraproject/IdentityAndConsentManagement#57 as it would impact the PR |
How are CIBA flows specified within |
Please see camaraproject/IdentityAndConsentManagement#57 (comment), the example provided includes CIBA. Further info: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#registration |
Thanks @jpengar, so it is specified by including an extension grant in Extension grant types are not specified by OAuth2, so this has both advantages (e.g. any grant type could be included there, even ones not invented yet) and a disadvantages (e.g. how would an API client know what might need to be supported without first calling the well-known endpoint? And if multiple grant types are specified, which of those applies to that API?). When introducing the |
Please bear in mind with the |
I copy here also my comment in camaraproject/IdentityAndConsentManagement#57 (comment) In reality I doubt developers will go to any .well-known URL to discover anything. Before making any call to an API there will be an on-boarding process for developers where they have to register their applications, to consume certain APIs under certain purposes, accept T&Cs, exchange credentials, and as part of this procedure, the required grant_type and authn flows needed to consume the API have to be communicated, taking into account the purposes and regulation. This process is being designed in parallel, using TMForum APIs. Here we are designing the APIs and as part of the OAS spec we have to complete security sections with something that is compliant to the spec but at the same time flexible enough to accommodate all possibilities. Scopes have to be standardized as a minimum, and openIdConnect as securityScheme allows to express this flexibilty. At the same time, we have to document all of this, and probably add some guidance or references in the APIs to let developers understand the whole process. This is what was agreed in the last TSC. |
My suggestion was to make such guidance part of the boilerplate to be included in the API design guidelines by adding a template If the details will be in a separate document, this document should exist before this security scheme formulation is adopted by APIs. |
I agree. It would be good to have something templated to be included as a section in every info.description, and leave the long explanations to a separate document that may be referenced if needed. Let's work on the details for that. |
In Number Verification (as Dawid pointed out in #61 above) we have adhered to the use of OIDC security scheme as per communalities guidelines. However OIDC as per standard would also entail the use / delivery of identity tokens. In our case (Number Verification) we don't see the need for identity tokens (but see the need for Authorization code grant). Is there some recommendation / principle from commonalities that we could use to both adhere to OIDC but not use / implement identity tokens? |
@ECORMAC |
Thanks Eric, I'll join the discussion in the Identity & Consent working group. |
Problem description
Currently, there is no consistency across WG regarding definition of the
securitySchemes
types, and about providing and naming scopes to protect operations.This table summarizes the situation, listing which
securitySchemes
are considered per WG, and which scopes are defined for that type (linked by means ofsecurity
property):clientcredentials
authorizationCode
blockchain-public-address-read
blockchain-public-address-create
blockchain-public-address-delete
carrier-billing-payments-create
carrier-billing-payments-prepare
carrier-billing-payments-confirm
carrier-billing-payments-cancel
carrier-billing-payments-read
location-verification:verify
device-status-roaming-read
device-status-roaming-event
nbi-mgmt
edge:discovery:read
edge:serviceprofile:read
edge:serviceprofile:write
edge:serviceregistry:read
edge:serviceregistry:write
edge:traffic-influences:read
edge:traffic-influences:write
home-devices-qod-qos-write
number-verification-verify-read
number-verification-share-read
one-time-password-sms:send-validate
retrieve-sim-swap-date
check-sim-swap
qod-sessions-read
qod-sessions-write
qod-sessions-delete
qod-profiles-read
Possible evolution
Unify specification of
securitySchemes
,security
and scopes across all WGs with common guidelines. Exceptions to the guidelines should be avoided and justified.Use of openIdConnect for
securitySchemes
Generally, OpenID Connect is the protocol to be used for securitization. Each API spec will define the following entry in
securitySchemes
, as shown in CAMARA-AuthN-AuthZ-Concept.md document:The value for
openIdConnectUrl
in the CAMARA spec is an example, that must be substituted by the specific discovery endpoint for OIDC protocol of the API provider, when the API is exposed in one of its environments.Use of
security
propertyGenerally, each operation will be protected by a scope and it will include a
security
property with a single element in the array:The key is arbitrary in OAS, but convention in CAMARA is to name it
openId
. This key must be same defined in thecomponents.securitySchemes
section.The {scope} is the specific scope defined to protect this operation. It must follow the syntax specify below.
Scope naming
Define a scope per API operation with the structure:
api-name:[resource:]action
where
api-name
is the API name specified as the base path, prior to the API version, in theservers[*].url
property. For example, from/location-verification/v0
, it would belocation-verification
.resource
is optional. For APIs with severalpaths
, it may include the resource in the path. For example, from/qod/v0/sessions/{sessionId}
, it would besessions
.action
: There are two cases:POST /location-verification/v0/verify
, it would beverify
.create
: For operations creating the resource, typicallyPOST
.read
: For operations accessing to details of the resource, typicallyGET
.update
: For operations modifying the resource, typicallyPUT
orPATCH
.delete
: For operations removing the resource, typicallyDELETE
.write
: For operations creating or modifying the resource, when differentiation betweencreate
andupdate
is not neeed.Examples
location-verification:verify
qod:sessions:create
, orqod:sessions:write
qod:qos-profiles:read
The text was updated successfully, but these errors were encountered: