Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How does a client determine which security protocols/standards/etc. a server supports #41

Closed
pvretano opened this issue Feb 12, 2018 · 3 comments

Comments

@pvretano
Copy link
Contributor

pvretano commented Feb 12, 2018

From teleconference 12-FEB-2018:

  • discussion between Peter and Chuck about security
  • Chuck mentioned that the support path of geoapi security (i.e. OAuth and https) is not sufficient in a number of cases
  • Peter asked what is the basic issue
  • Chuck mentioned that there is no mechanism to allow a client to determine from the server what security protocols/standards/etc. are supported
  • this is related to the TB12/TB13 work of putting this information in the capabilities document
  • Peter thought that a new access path, something like /api/security could be used as an end point to get this information
  • Chuck confirmed that there are no standards in this area yet but that he, in cooperation with others, is working on something
@cportele
Copy link
Member

+1 to adding /api/security or similar in an extension, in case the OpenAPI security scheme declarations are not sufficient for common use cases.

Maybe this should then also be raised at https://github.com/OAI/OpenAPI-Specification/issues since this does not sound like a geo-specific requirement and would best be addressed by ICT standards, not by OGC standards?

@cmheazel
Copy link
Contributor

Already done. See OAI/OpenAPI-Specification#1004 for part of the discussion. A number of other issues touch on updates to the security declarations as well. I have been working on a set of requirements based on the U.S. NIST taxonomy of security controls. Next step is to try to pull all of these issues together into a viable proposal. Frank Terpstra is playing as well so we can tag-team.

@cmheazel
Copy link
Contributor

cmheazel commented Aug 8, 2018

It appears that all of the security schemes commonly used by OGC implementations are supported by OpenAPI. Recommend closing this issue. Specific deficiencies in the OpenAPI Security Schemes should be tracked through their own issues.

@cmheazel cmheazel closed this as completed Aug 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants