New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define OAuth2 requirements for /presentations/submissions
#242
Comments
/presentations/submissions
endpoint/presentations/submissions
Goal 1: The Opinion This one should be non-ambiguous. The |
Justification? I'm sure I don't fully understand either OAuth2 or the currently popular split of endpoints, as listed in the several "Define OAuth2 requirements" issues, but to the degree I do, it seems to me there are conceivable situations where one might want to require authentication for all endpoints one makes available, including So please, why must OAuth2 be forbidden for this use? |
The OAuth2 version of this flow is defined by the A verifier supplies a holder with a
In this case the The reason that OAuth2 is forbidden by this end-point is because the authorization scheme is implied by the end-point definition. If you wanted to use the OAuth2 version of this flow you use |
+1 on #242 (comment). Except, @BenjaminMoe I think you mean So, to be precise: The This is a DIDAuth endpoint. OAuth on top of it would be double-authentication. |
@BenjaminMoe -- The large comment is great! I think something similar should be in each of these detailed issues, preferably as the first comment following the opener, if not as part of the opener itself, especially the last paragraph, i.e. --
I do wonder why you're using checklists for the identified "Goals" (which don't seem like "Goals" to me, but I guess that's the term used in some programming methodology?). "Goal 1" seems like a radio-button candidate, as when any one checkbox is ticked the others should not be -- i.e., they're all mutually exclusive. "Goal 2" looks like it should have something checked, and that those checked items should be mentioned in the large comment, but maybe I'm misunderstanding something else? All that said, in #242 (comment), you still have --
-- which it appears, as @nissimsan noted (and as you have edited in several other comments on this issue), should be about |
OpenAPI documentation has been updated. Since OAuth2 is not required for this endpoint, we will not need to write specific negative testing to ensure that it is enabled. This can be closed out. |
We did this. |
The goal of this issue is start discussion regarding the OAuth2 authentication requirements of the
/presentations/submissions
endpoint. This issue stems from the discussion on #187, and can be considered complete when the following items are resolved:Please note: the following lists are displayed as GitHub task lists for visual effect, not to suggest that there are actually additional tasks to be done.
The state of the checkboxes in this description represent the in-progress resolution of this issue. Until the
ready-for-close
label is applied, this issue should be considered in-progress. This issueMUST NOT
be closed until corresponding issues have been opened to implement the relevant conformance testing and, if necessary, modify the openapi spec.Goal 1: Explicitly state OAuth2 requirements for the
/presentations/submissions
endpointOne, and only one, of these options
MUST
be selected./presentations/submissions
endpoint MAY require OAuth2/presentations/submissions
endpoint MUST require OAuth2/presentations/submissions
endpoint MUST NOT require OAuth2Goal 2: Explicitly define scope requirements for this endpoint when authentication is in use:
One or more of these options
MUST
be selected unless theMUST NOT
option was selected in Goal 1, in which case these optionsMUST NOT
be selected. For requests that require OAuth2, each of the selected scopesMUST
be present in an OAuth2 bearer token in order for the request to be permitted.The following list of OAuth2 scopes is pulled from the current
openapi.yaml
file. If additional scopes are needed for the/presentations/submissions
endpoint, they should be added here and an issue should be created to ensure thatopenapi.yaml
is updated.resolve:dids
issue:credentials
verify:credentials
read:credentials
update:credentials
prove:presentations
verify:presentations
submit:presentations
The text was updated successfully, but these errors were encountered: