OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (ODATA-1145) Align Authorization vocabulary with OpenAPI V3

    [ https://issues.oasis-open.org/browse/ODATA-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=68952#comment-68952 ] 

Michael Pizzo commented on ODATA-1145:

For specifying required authorizations for a particular resource, should we:
1) Still allow inlining the <Authorizations> term for a specific resource, or 
2) Introduce a new term for annotating a resource outside of HttpRequest, or
3) Rely on specifying HttpRequests in order to specify the required auth for a resource?

Does <Authorizations> applied to EntityContainer only define the available authorizations? Do we need a way to define a default set of authorizations required for the service?

Option 1: Define "SecuritySchemes" as a term that could be applied to EntityContainer (to define the default security schemes that could be applied to the service) and optionally allow as the set of default security schemes that could be applied to an entityset/singleton (and overwritten by whatever is specified in the HttpRequest):
<Term Name="SecuritySchemes" Type="Collection(Auth.SecurityScheme)">
  <Annotation Term="Core.Description" String="At least one of the specified security schemes are required to access the resource."/>

Option 2: Continue to allow nesting an authorization within a resource to specify the default security schemes for that resource

Option 3: Only support applying authorizations to individual HttpRequests (since they are likely to vary depending on the request method)

> Align Authorization vocabulary with OpenAPI V3
> ----------------------------------------------
>                 Key: ODATA-1145
>                 URL: https://issues.oasis-open.org/browse/ODATA-1145
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Bug
>          Components: Vocabularies
>    Affects Versions: V4.01_CS01
>         Environment: [Proposed]
>            Reporter: Michael Pizzo
>             Fix For: V4.01_CS02
> Our Authorization vocabulary was defined based on Swagger V2.
> OpenAPI V3 changes slightly the way authorization is specified.  In particular, it allows defining authorization flows, and then referencing those flows with a required set of scopes for a particular operation.
> OData-884 proposes adding the ability to specify the requests (and corresponding responses) associated with an entity set, singleton, etc. As part of this proposal, it makes sense to be able to associate particular flows and required scopes with those requests.  This can be done by:
> 1) Adding a Name to the Authorization type in order to reference a particular authorization, and
> 2) Adding a "SecuritySchemes" property to the HTTPRequest type that is a collection of authorization/scope requirements for invoking this particular request.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]