New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tentative proposal for a RS discovery mechanism #190
Comments
I'm not sure it's for GNAP to deal with that. There's no practical way we can ensure RS implementers would do it anyway. |
There are four different topics under the above proposal :
|
I believe this to be out of scope. Users do not interact with the RS. |
Hi Justin, I raised above four different topics. I wonder whether your single line comment applies to the first one or to all of them. For the user_consent_endpoint, when the client code is not screwed to a single AS (which may be able to support the end-user consent), the RS indicates to the client which ASs are being trusted and for which actions. The "user choices and consent" needs to be done by the end-user once the RS has been first contacted by the client and before any AS is being contacted by the client. Since the user consent needs to be obtained from the end-user (and not from the client), in my proposal above, I considered a different end-point at the RS able to support a UI interface. There could be different alternatives, but the document cannot remain silent when the user consent is not done at the AS. For the interact_method-endpoint, I wrote that two philosophies are possible: disclose in advance both the authentication mechanisms, if any, and the authorization mechanisms or only inform the client using a trial and error mechanism. I believe that but philosophies should co-exist. Since the title of this thread is "Tentative proposal for a RS discovery mechanism", it would be adequate to recall in the document that it is possible for a RS to advertise that a REST API is fully discoverable from the root and with no prior knowledge by doing a GET on the root. As indicated in [(https://softwareengineering.stackexchange.com/questions/170695/what-is-the-need-for-discoverability-in-a-rest-api-when-the-clients-are-not-ad)] : "Discoverability is not just for clients, it's also useful for software developers." |
AS-RS discovery is covered in GNAP-RS created by #246 |
This issue has been marked "Pending Close", however its content is fundamental. @justin You wrote:
This topic of this issue is "Tentative proposal for a RS discovery mechanism" which is fully unrelated This issue should not be yet closed |
This proposal is related to the two following issues:
A Client must first locally know to which RS it wants to talk to. If the Client has never talked to that RS before,
it SHOULD send an HTTP OPTIONS request to the discovery endpoint of the RS to retrieve the server's discovery information.
The RS MUST respond with a JSON document containing the following information:
discovery_endpoint (string)
REQUIRED. The full URL of the RS's discovery endpoint. The client SHALL verify that it matches with the URL used to query the discovery endpoint.
access_endpoint (string)
REQUIRED. The full URL of the RS's access endpoint.
user_consent_endpoint (string)
OPTIONAL. The full URL of the RS's user consent endpoint. NOTE: this data element is optional to address the case of a single AS trusted by the RS.
interact_method
OPTIONAL. A list of the RS's interaction methods. There are two possibilities:
a) a list authentication methods. This list MAY be present when the RS is willing to authenticate the end-user before any access request can be done.
b) a list of allowed operations. This list MAY be present either when the end-user has not already been authenticated by the RS
or once the end-user has been authenticated.
Note: In the later case, the list of allowed operations is likely to be different whether a strong authentication has or has not already taken place.
For each operation that can be performed at a given point of time, the RS indicates to the client the URLs of the ASs that it trusts
and for each AS which access privileges types should be present into an access token granted by that AS.
token_profile (array strings)
OPTIONAL. A list of the RS's supported token formats and key proofing mechanisms for performing an access.
service_list (array of strings)
OPTIONAL. A list of the RS's supported services. This list MAY be present when the server is supporting a service that can be fulfilled by several servers. For each service, the discovery_endpoint of each server supporting that service should be provided.
The text was updated successfully, but these errors were encountered: