[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Updated: (ODATA-301) Guidance around data authorization model and secure authenticated access to an OData Service
[ http://tools.oasis-open.org/issues/browse/ODATA-301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Zurmuehl updated ODATA-301:
----------------------------------
Proposal:
Services requiring authentication SHOULD support basic authentication over HTTPS and MAY support other authentication methods (highlight this fact in *intermediate* conformance level). Interoperable clients SHOULD be prepared to handle basic authentication.
Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations.
Accepted: https://www.oasis-open.org/committees/download.php/48622/odata-meeting-30_on-20130321-minutes.html#odata-301
was:
Services requiring authentication SHOULD support basic authentication over HTTPS and MAY support other authentication methods. Interoperable services MUST support basic authentication
Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations.
Accepted: https://www.oasis-open.org/committees/download.php/48622/odata-meeting-30_on-20130321-minutes.html#odata-301
To summarize the discussion about SHOULD or MUST for basic auth from my point of view:
Because companies may have stricter security requirements than offered by basic auth, we should not put any MUST requirement in the spec. A generic interoperable client SHOULD be prepared to handle basic auth, and services (intermediate conformance level) SHOULD implement basic auth if they want to make their data available to generic applications/clients.
I changed the proposal accordingly and applied it to the document.
> Guidance around data authorization model and secure authenticated access to an OData Service
> --------------------------------------------------------------------------------------------
>
> Key: ODATA-301
> URL: http://tools.oasis-open.org/issues/browse/ODATA-301
> Project: OASIS Open Data Protocol (OData) TC
> Issue Type: Improvement
> Components: OData Protocol
> Affects Versions: V4.0_CSD01
> Environment: [Applied]
> Reporter: Ralf Handl
> Assignee: Martin Zurmuehl
> Fix For: V4.0_CSD02
>
>
> For interoperability it is highly desirable to define common minimum set of authentication methods, e.g. if a service requires authentication, it MUST accept basic authentication over HTTPS in addition to whatever else it chooses.
> For data authorization we give guidance whether the data model may depend on the authenticated user, only the data content. It puts a higher burden on clients if properties or entity sets appear in or disappear from the model depending on the authenticated user, requiring to always first interpret $metadata, or if only the data content depends on it, i.e. entities show up or not, nullable properties appear to be null or contain confidential information.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]