Adding first draft of authentication/authorization documentation #98
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Transparency Exchange API - Authentication and authorization | ||
|
|
||
|
|
||
| **NOTE**: _This is a proposal for the WG_ | ||
|
|
||
| This document covers authentication and authorization on the consumer side | ||
| of a TEA service - the discovery and download of software transparency artefacts. | ||
|
|
||
| ## Requirements | ||
|
|
||
| __Authorization__: A user of a TEA service may get access to all objects (leaf, collections) and | ||
| artefacts or just a subset, depending on the publisher of the data. Authorization is connected | ||
| to __authentication__. | ||
|
|
||
| The level of authorization is up to the implementer of the TEA implementation and the publisher. | ||
|
|
||
| In order to get interoperability between clients and servers implementing the protocol, the | ||
| specification focuses on the authentication. After successful authentication, the authorization | ||
| may be implemented in multiple ways - on various levels of the API - depending on what information | ||
| the user can access. | ||
|
|
||
| As an example, one implementation may publish all information about existing artefacts and software | ||
| versions openly, but restrict access to artefacts to those that match the customers installation. | ||
| Another implementation can implement a filter that does not show products and versions ("leafs") that | ||
| the customer has not aquired. | ||
|
|
||
| For most Open Source projects, implementing authentication - setting up accounts and managing | ||
| authorization - does not make much sense, since the information is usually in the open any way. | ||
|
|
||
| ## HTTP bearer token auth | ||
|
|
||
| The API will support HTTP bearer token in the __Authorization:__ http header. | ||
|
There was a problem hiding this comment. I would personally keep this out of scope. In some machine-to-machine scenarios, using Mutual TLS (mTLS) may make more sense. Thus I would suggest leaving out this block in favor of just saying that it is up to the implementor. |
||
| How the token is aquired is out of scope for this | ||
| specification, as is the potential content of the token. | ||
|
|
||
| As an example the token can be downloaded from a customer support portal with a long-term | ||
| validity. This token is then installed into the software transparency platform (the TEA client) | ||
| and used to automatically retrieve software transparency artefacts. | ||
|
|
||
| ## References | ||
|
|
||
| - RFC 6750: The Oauth 2.0 Authorization Framework: Bearer Token Usage (https://www.rfc-editor.org/rfc/rfc6750) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we specify that authorization should not require additional work on the part of an authenticated client?
What I mean is that clients should have a single bearer token to authenticate to the server, instead of separate tokens for each resource they request.