Closed emil-cheung closed 1 year ago
Hi @emil-cheung,
This issue will be likely obsolete once we update the spec to the new guidelines for Notifications (PR #155 ), as apiKey is currently only mentioned in relation to notifications and guidelines require to use a header for Authorization:
notificationAuthToken | string | OAuth2 token to be used by the callback API endpoint. It MUST be indicated within HTTP Authorization header e.g. Authorization: Bearer $notificationAuthToken | optional -- | -- | -- | --Hi @emil-cheung,
This issue will be likely obsolete once we update the spec to the new guidelines for Notifications (PR #155 ), as apiKey is currently only mentioned in relation to notifications and guidelines require to use a header for Authorization:
notificationAuthToken string OAuth2 token to be used by the callback API endpoint. It MUST be indicated within HTTP Authorization header e.g. Authorization: Bearer $notificationAuthToken optional
@jlurien thanks for the reply. When I check the PR, I see the similar concern raised. We could use the PR to discuss this issue.
Decision taken within today's call to omit apiKey completely from the API spec. To be done in #155 (@akoshunyadi).
Closed with #155
Problem description
Possible evolution Change to use header to carry API key.
Alternative solution Use cookie to carry the API key. However, Camara API design guideline also mentions authentication/authorization requests should not rely on cookies or sessions.
Additional context Camara API design guideline