Documentation update with securitySchemes final agreement #93
Conversation
jpengar
requested review from
diegogonmar,
AxelNennker,
bigludo7,
hdamker and
shilpa-padgaonkar
| ``` | ||
| ### Authorization and authentication | ||
|
|
||
| CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document [CAMARA-API-access-and-user-consent.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md). Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation. |
There was a problem hiding this comment.
Document "CAMARA-API-access-and-user-consent.md" says nothing about client credentials, and yet that remains a valid authorisation scheme for some CAMARA API endpoints. When it was proposed that CAMARA adopt type: openIdConnect as the ONLY valid security scheme, this was justified on the basis that .well-known/openid-configuration allows client_credentials in the list of grant_types_supported. And yet here we have a reference to a document that does not "outline" this as a possibility.
So for the proposed text to be applicable, "CAMARA-API-access-and-user-consent.md" must be updated to list client credentials as a valid authorisation scheme for some scenarios.
There was a problem hiding this comment.
Agree. This is a fair point. We will commit an update to clarify that client credentials is a valid authorization scheme for some scenarios.
There was a problem hiding this comment.
Done in commit 4f09ec6
There was a problem hiding this comment.
In terms and concepts, can you consider changing "User" term to "Subscriber" please? If approved and changed, we will have
- End User -> human participant using the application (can be a parent or alternate delegate of the carrier-resource)
- Subscriber -> subscriber of the telco operator, owner of the carrier-resource at hand. (eg., parent)
|
@jpengar: Instead of replicating all info from AuthN-AuthZ doc again in this document, may be it is easier to simply say that
All possible grant types are already documented in this doc. |
@murthygorty This specific topic is not related to the original issue #57 or the content included in this PR. Would you kindly open a new issue to discuss this specific topic? thank you so much in advance. UPDATE: I just saw a new issue of OIDF (#98) that's pretty much related. We can move this discussion there. |
@shilpa-padgaonkar That document actually mentions additional grant types/flows to those considered and defined so far as a valid option to access CAMARA APIs: Auth Code Flow, CIBA, and Client Credentials. |
|
@jpengar : That is indeed correct. My main concern is that we will soon get requests to cover more options here if not explicitly specified for eg. there might be a request to add details about PKCE or other possible extensions. Another option would be that we keep the link as is, in your PR, but mention that details about possible extensions etc. can be found in the AuthN-AuthZ doc. Also, for recommended flows under oauth2, just like client credentials we should also specify auth code flow. |
@shilpa-padgaonkar Could you use the github.com change suggestion feature to add your suggestion to the current status of the PR? That way we avoid a trail and error process in case I don't fully understand your point. :S |
| @@ -18,6 +18,11 @@ This document defines guidelines for telco operator exposure platforms to manage | |||
| - [Authorization flows / grant types](#authorization-flows--grant-types) | |||
| - [Authorization code flow (Frontend flow)](#authorization-code-flow-frontend-flow) | |||
There was a problem hiding this comment.
| - [Authorization code flow (Frontend flow)](#authorization-code-flow-frontend-flow) | |
| Detailed information on the below specified grant types (for eg. extensions to some of the grant types, links to original RFC documents etc.) is available in [CAMARA-AuthN-AuthZ-Concept.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-AuthN-AuthZ-Concept.md) | |
| - [Authorization code flow (Frontend flow)](#authorization-code-flow-frontend-flow) |
There was a problem hiding this comment.
We cannot just put this paragraph there. You have to put it in the middle of the auto-generated index. When the document is saved, the index is regenerated and this change is lost.
If you want to include it, it might fit as a NOTE at the beginning of the Authorization Flows / Grant Types section.
|
@shilpa-padgaonkar @rartych @bigludo7 @eric-murray As agreed in the 20/12 WG meeting call, now that the PR has already addressed your change suggestions, could you do a final review to merge the PR and close the issue? |
jpengar
deleted the
jpengar/issue-57-doc-update-securityschemes-agreement
branch
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
This PR is intended to include in the WG documentation the final agreement reached by the TSC and the WG participants on the
securitySchemesandsecurityof the CAMARA API specification, and the mandatory template forinfo.description, explaining to API customers why the API specification does not list specific grant types, and how to find out what authorization flows they can use.Which issue(s) this PR fixes:
Fixes #57
Special notes for reviewers:
Changelog input
Additional documentation
N/A