Define OAuth2 requirements for /presentations/submissions
#242
Comments
brownoxford
changed the title
/presentations/submissions endpoint/presentations/submissions
|
Goal 1: The Opinion This one should be non-ambiguous. The |
Justification? I'm sure I don't fully understand either OAuth2 or the currently popular split of endpoints, as listed in the several "Define OAuth2 requirements" issues, but to the degree I do, it seems to me there are conceivable situations where one might want to require authentication for all endpoints one makes available, including So please, why must OAuth2 be forbidden for this use? |
The OAuth2 version of this flow is defined by the
A verifier supplies a holder with a
In this case the The reason that OAuth2 is forbidden by this end-point is because the authorization scheme is implied by the end-point definition. If you wanted to use the OAuth2 version of this flow you use |
|
+1 on #242 (comment). Except, @BenjaminMoe I think you mean So, to be precise: The This is a DIDAuth endpoint. OAuth on top of it would be double-authentication. |
|
@BenjaminMoe -- The large comment is great! I think something similar should be in each of these detailed issues, preferably as the first comment following the opener, if not as part of the opener itself, especially the last paragraph, i.e. --
I do wonder why you're using checklists for the identified "Goals" (which don't seem like "Goals" to me, but I guess that's the term used in some programming methodology?). "Goal 1" seems like a radio-button candidate, as when any one checkbox is ticked the others should not be -- i.e., they're all mutually exclusive. "Goal 2" looks like it should have something checked, and that those checked items should be mentioned in the large comment, but maybe I'm misunderstanding something else? All that said, in #242 (comment), you still have --
-- which it appears, as @nissimsan noted (and as you have edited in several other comments on this issue), should be about |
|
OpenAPI documentation has been updated. Since OAuth2 is not required for this endpoint, we will not need to write specific negative testing to ensure that it is enabled. This can be closed out. |
|
We did this. |
The goal of this issue is start discussion regarding the OAuth2 authentication requirements of the
/presentations/submissionsendpoint. This issue stems from the discussion on #187, and can be considered complete when the following items are resolved:Please note: the following lists are displayed as GitHub task lists for visual effect, not to suggest that there are actually additional tasks to be done.
The state of the checkboxes in this description represent the in-progress resolution of this issue. Until the
ready-for-closelabel is applied, this issue should be considered in-progress. This issueMUST NOTbe closed until corresponding issues have been opened to implement the relevant conformance testing and, if necessary, modify the openapi spec.Goal 1: Explicitly state OAuth2 requirements for the
/presentations/submissionsendpointOne, and only one, of these options
MUSTbe selected./presentations/submissionsendpoint MAY require OAuth2/presentations/submissionsendpoint MUST require OAuth2/presentations/submissionsendpoint MUST NOT require OAuth2Goal 2: Explicitly define scope requirements for this endpoint when authentication is in use:
One or more of these options
MUSTbe selected unless theMUST NOToption was selected in Goal 1, in which case these optionsMUST NOTbe selected. For requests that require OAuth2, each of the selected scopesMUSTbe present in an OAuth2 bearer token in order for the request to be permitted.The following list of OAuth2 scopes is pulled from the current
openapi.yamlfile. If additional scopes are needed for the/presentations/submissionsendpoint, they should be added here and an issue should be created to ensure thatopenapi.yamlis updated.resolve:didsissue:credentialsverify:credentialsread:credentialsupdate:credentialsprove:presentationsverify:presentationssubmit:presentationsThe text was updated successfully, but these errors were encountered: