Skip to content

Adding first draft of authentication/authorization documentation #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adding first draft of authentication/authorization documentation #98

wants to merge 1 commit into from

Conversation

oej
Copy link
Collaborator

@oej oej commented Feb 12, 2025

Closes issue #97

@oej oej requested a review from madpah as a code owner February 12, 2025 14:57
@oej oej removed the request for review from madpah February 12, 2025 14:58
@oej
Copy link
Collaborator Author

oej commented Feb 12, 2025

Add http responses for various cases:

  • Expired token
  • Auth revoked
  • No access to product/artefact

ppkarwasz
ppkarwasz reviewed Feb 14, 2025
View reviewed changes
auth/readme.md
Comment on lines +17 to +20
In order to get interoperability between clients and servers implementing the protocol, the
specification focuses on the authentication. After successful authentication, the authorization
may be implemented in multiple ways - on various levels of the API - depending on what information
the user can access.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we specify that authorization should not require additional work on the part of an authenticated client?

What I mean is that clients should have a single bearer token to authenticate to the server, instead of separate tokens for each resource they request.

vpetersson
vpetersson reviewed Mar 13, 2025
View reviewed changes
auth/readme.md

## HTTP bearer token auth

The API will support HTTP bearer token in the __Authorization:__ http header.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would personally keep this out of scope. In some machine-to-machine scenarios, using Mutual TLS (mTLS) may make more sense. Thus I would suggest leaving out this block in favor of just saying that it is up to the implementor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpetersson vpetersson vpetersson left review comments

@ppkarwasz ppkarwasz ppkarwasz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@oej @vpetersson @ppkarwasz