3Legs and Client Credential in the same API #184
Replies: 2 comments 6 replies
-
Hi @FabrizioMoggio, I'll try to give my point of view on this topic.
As you mentioned in camaraproject/Commonalities#245, CAMARA ICM defines: "It is important to note that in cases where personal user data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory." ...which is the criteria to decide whether client credentials (2-legged) are allowed or not. Or vice versa, when 3-legged access becomes mandatory. This MUST be followed by all APIs. So, whether the Traffic Influence API is allowed to use client credentials or not depends on the purpose under which the API is accessed, whether or not it is legally considered processing of users' personal data, and consequently which legal basis is applied (which may or may not require user's opt-in and/or opt-out). And that would depend on local regulations, legal rulings, definition of specific application use cases, and so on. That's why ICM has defined a "generic" Long story short, if for Traffic Influence API (or some specific endpoint of the API) is legally guaranteed that there is no personal user data processing, then it could be consumed with Client Credentials and during API onboarding it will be defined accordingly
This is not a technical reason to perform a subsequent GET or DELETE request with Client Credentials. If the API client has a 3-legged access token and it expires, the API client can simply request a new one (no need to re-capture consent if it was previously captured), or better yet, use the refresh_token to get a new access_token for the same AuthN/AuthZ session. These are standard procedures as defined in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md |
Beta Was this translation helpful? Give feedback.
-
@FabrizioMoggio You can have a look on how we solved (or better: tried to solve) the similar topic for the
My view is that existing sessions should be able to be managed with 2-legged tokens (read, delete) even if the API Client created them with a 3-legged token (as they had the user consent for the "create" or "write" scope at that time). But we don't take this decision within the API specification, as it depends on the (legal) context. |
Beta Was this translation helpful? Give feedback.
-
For the Traffic Influence API, having the Device (identified by the phone number) passed by the API Consumer to the API Producer, 3Legs was adopted FOR ALL the endpoints.
Actually not all the endpoints share sensitive data (Device). The Traffic Influence API can be indeed invoked to influence the traffic for ANY user that is accessing an Application. For this endpoint there is no Device used in the POST, so I assume that I can use Client Credential for these endpoints. Is this correct?
Moreover, there are other endpoints for the API Consumer to read (GET) the status of the TI Resource or to remove (DELETE) a traffic influence resource. These endpoints can be invoked when no user is online to participate in the 3Legs process and anyway the Device information usage was already certified during the POST action. What I need to use for these endpoints, 3Legs or Client Credentials? The point is that if the authorization token expires the API Consumer is not able to access those information or delete the resources on which he already got the consent for. This in the case the user is no more reachable to give the consent. For this reason I would like to use Client Credential for this operations on resources previously created with the consent of the user. Is this possible?
Beta Was this translation helpful? Give feedback.
All reactions