Open FabrizioMoggio opened 1 month ago
Asked to Commonalities: https://github.com/camaraproject/Commonalities/discussions/245
CAMARA document where some implementation guidelines for 3 Legs are defined: CAMARA-API-access-and-user-consent.md.
Every time personal user data is processed by an API and the user can exercise their rights either via opt-in and/or opt-out, 3-legged access tokens must be used.
Problem description GET methods are currently adopting OpenId. This is a mistake because they are invoked when the user is not online to give consent and anyway they provide back to the API Consumer information that are already previously managed via OpenId in the POST methods.
The same applies for the DELETE method
Expected behavior Because the Get methods provide back information to the API Consumer on resources created with POST using Consent Management we should secure those Get methods with client/credential.
The same applies for the DELETE method.