Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization Consistency Across MDS #584

Closed
schnuerle opened this issue Oct 9, 2020 · 8 comments · Fixed by #835
Closed

Authorization Consistency Across MDS #584

schnuerle opened this issue Oct 9, 2020 · 8 comments · Fixed by #835
Labels
admin Administrative chores etc. Agency Specific to the Agency API documentation documentation change can be for code and/or markdown pages Geography Items related to the Geography API Policy Specific to the Policy API Provider Specific to the Provider API security Impacts the security of data flow/access or authentication
Milestone
2.0.0

Comments

@schnuerle
Copy link
Member

Is your feature request related to a problem? Please describe.

Currently each MDS API has its own descriptions of authorization methods and options.

Provider: Entire Auth.md page with JWT recommended

Agency: Authorization section that requires JWT

Policy: Authorization is not mentioned

Geography: Authorization section and bearer token language with public option

General Information: Authorization is not mentioned

Describe the solution you'd like

These disparate authorization descriptions should be consolidated across MDS and likely put into the General Information page with sections for JWT. The content from Provider could be a starting point, with additional subsections around optional JWT auth, public feeds, etc. Then each API can reference and link to the appropriate section consistently.

Is this a breaking change

  • I'm not sure

Impacted Spec

For which spec is this feature being requested?

  • agency
  • policy
  • provider

Describe alternatives you've considered

N/A

Additional context

This came up in a Working Group call on Oct 7 2020.
@schnuerle schnuerle added admin Administrative chores etc. Agency Specific to the Agency API documentation documentation change can be for code and/or markdown pages Geography Items related to the Geography API Policy Specific to the Policy API Provider Specific to the Provider API security Impacts the security of data flow/access or authentication labels Oct 9, 2020
@schnuerle schnuerle added this to the 2.0.0 milestone Nov 9, 2020
@janedotx
Copy link
Contributor

I think this is a very good idea. Whenever we write this unified authentication information, we should also note that the current reference implementation makes certain assumptions about the claims in the JWT provided by clients to gate certain data (e.g. only certain clients are authorized to view unpublished policies).

@schnuerle
Copy link
Member Author

See notes from the WG call this week.

  • Not complex to fix, but a bit tedious
  • Max can volunteer to do PR at some point
  • Docs and organizing, not breaking or not, not changing
  • May identify areas for improvements along the way

@schnuerle schnuerle modified the milestones: 2.0.0, Next Release Jan 25, 2021
@schnuerle schnuerle modified the milestones: Next Release, 1.2.0 Feb 12, 2021
@schnuerle schnuerle modified the milestones: 1.2.0, 2.0.0 Jul 21, 2021
@schnuerle
Copy link
Member Author

As part of the #506 #644 #796 work, authorization across MDS will be more consistent and clear.

Note to make sure as part of 2.0 work we also make sure Policy, Geography, and Jurisdiction is required to be public, as promised here: https://github.com/openmobilityfoundation/mobility-data-specification/blob/main/general-information.md#optional-authentication

@marie-x
Copy link
Collaborator

marie-x commented Dec 22, 2022

I've been meaning to work on this, based on extensive work on the Lacuna side that we're happy to share.

@schnuerle
Copy link
Member Author

That would be great to share what you are thinking. Seems like it would align well with the Agency/Provider work.

@schnuerle
Copy link
Member Author

schnuerle commented Jan 9, 2023
edited
Loading

Do you think this is resolved with #796 @marie-x ? If not we can move to future release or cleanup now when making release candidate.

@marie-x
Copy link
Collaborator

marie-x commented Jan 9, 2023

I haven't done the writeup yet. If we can get the reconciliation work done, then I can work on this. Else defer I think. Don't feel strongly either way.

@schnuerle schnuerle linked a pull request Feb 8, 2023 that will close this issue
Consolidating authorization across APIs #835
Merged
@schnuerle
Copy link
Member Author

Complete with #835. If you have any recommended changes, leave a comment here for future inclusion during release review process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
admin Administrative chores etc. Agency Specific to the Agency API documentation documentation change can be for code and/or markdown pages Geography Items related to the Geography API Policy Specific to the Policy API Provider Specific to the Provider API security Impacts the security of data flow/access or authentication
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

Consolidating authorization across APIs openmobilityfoundation/mobility-data-specification
3 participants
@janedotx @marie-x @schnuerle