-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide API Design guidelines for OAuth2 client credentials #171
Comments
There is an existing PR that will update the security scheme for the QoS Profiles YAML. This will use the This scheme allows for the QoS Profiles endpoints to be called with either 3-legged or 2-legged access tokens - both are valid scenarios. The additional documentation that will be added to the OAS explains exactly how the API designer will find out the details of the applicable authorisation schemes, specifically: So they will find out which authorisation flows are applicable via the Operate APIs, with the details (endpoint URLs, supported endpoint authentication methods, supported scopes, etc.) found via the |
I saw the PR but no documentation of the API behavior you describe in the above comment. Anyway, as long as there is one Camara API - population density - that is client credentials only, then there should be API designer guidelines on how that security scheme should be specified in the yaml. |
The solution adopted by ICM was clear - developers (i.e. API consumers) will not know which authorisation schemes are applicable to an API until the onboarding stage. That is what is specified in the mandatory template to be included in each API. No more text is required, though anyone is free to propose additional documentation in the OAS itself. The ICM "CAMARA API Access and User Consent Management" document already describes how client credentials are specified in the OAS. OIDC Discovery already allows additional grant types (such as |
There are APIs that are client credentials only and I think their openapi yaml files should express that. |
After DT-internal discussion closing this issue. |
Problem description
There are Camara APIs that do not involve personal data and by specifying the openid-security-scheme in the API yaml file API consumers are missing important information. If no personal data is processed then an OAuth2 client credentials security scheme is what API consumers should find in the API yaml file.
There is currently no guideline for API designers how to specify OAuth2 client credentials.
The following are two Camara APIs that do not involve personal data:
https://github.com/camaraproject/PopulationDensityData/blob/main/code/API_definitions/population-density-data.yaml @jgarciahospital
https://github.com/camaraproject/QualityOnDemand/ especially https://github.com/camaraproject/QualityOnDemand/blob/main/code/API_definitions/qos-profiles.yaml @jlurien @eric-murray
Expected action
Provide a guideline for API designer on how to specify a security scheme that allows OAuth2 client credentials.
https://github.com/camaraproject/QualityOnDemand/blob/main/code/API_definitions/qos-profiles.yaml is currently using this security scheme
Additional context
TSC agreed on October 19, 2023 :
Update OpenAPI security guideline (camaraproject/Commonalities#57)
PopulationDensityData was created in December 2023 after the TSC agreement.
QoS Profiles was split from QoS also after the TSC agreement.
I, @AxelNennker, think the TSC agreement should be re-visited because now we have Camara API that are client-credentials only.
There should be a guideline for API Designers in API Design guidelines how to specify oauth2 client-credentials in API yaml files.
API consumers would miss important information in the yaml files if the read the openid-security scheme in the API yaml file, but in fact the API requires client credentials.
The text was updated successfully, but these errors were encountered: