Missing sending_hei_id parameters

[wrygiel]

Reported by Polish developers. The following endpoints are probably missing a sending_hei_id request parameter:

• get endpoint of Incoming Mobilities API,
• get endpoint of Incoming Mobility ToRs API.

[ArgyrisBesinas]

We started development for the dashboard ewp node and we are also facing issues regarding this missing query parameter. omobility_id is not enough to uniquely identify an imobility. Hosts with multiple heis can have omobilities with the same omobility_id and different sending_hei_id for the same receiving_hei_id. When we request an immobility with only omobility_id and receiving_hei_id we can have two matches.

Can the sending_hei_id query param be added to the immobility and immobility cnr endpoints?

[janinamincer-daszkiewicz]

This will not be needed when we introduce the planned change - one HEI per manifest with the uniqe URL for API and unique key/certificate.

[ArgyrisBesinas]

What is the timeframe for the implementation of this change?

[janinamincer-daszkiewicz]

As shared in the e-mail to developers.

[janinamincer-daszkiewicz]

This problem disappeared with Discovery 6.0.0.

[maurovanetti]

Thank you. IMHO this should be specified in the document anyway, because it's unclear where the sending_hei_id to disambiguate omobility_id identifiers should come from.

[mkurzydlowski]

Isn't this enough?

It's clear what the calling HEI is for all EWP APIs.

[maurovanetti]

Honestly, it could be clearer. But it may just be me not being very bright. :-)

The specs are spread in so many different repos, and even after reading this other link on another repo I'm not entirely sure where the remote HEI id comes from. I need to check the Discovery specs, which I also did, and then the specs of the individual authentication methods, and then… Something to help the inexperienced navigate the specifications would be more than welcome.

[janinamincer-daszkiewicz]

You may find this helpful: https://esci-sd.atlassian.net/wiki/spaces/ITSC/pages/111706138/EWP+in+GitHub

[maurovanetti]

Thank you! It did help. After some research, at https://github.com/erasmus-without-paper/ewp-specs-api-registry I found this that should be the answer:

Question 2: I have received a HTTPS request signed by a client certificate cert. Data of which HEIs is this client privileged to access?

Determine the certificate's SHA-256 fingerprint first (e.g. DigestUtils.sha256Hex(cert.getEncoded()) if you're using Java). Then, you can use an XPath expression similar to this one:

//r:client-credentials-in-use/r:certificate[@sha-256="<your-digest>"]/../../r:institutions-covered/r:hei-id

[…]

Question 4: I have received a request signed with HTTP Signature with keyId equal to X. I have already validated the signature (as described in question 3), so I know that the sender is in possession of the private part of the key-pair. How do I retrieve the list of HEIs who's data is this client privileged to access?

You can use an XPath expression similar to this one:

//r:client-credentials-in-use/r:rsa-public-key[@sha-256="X"]/../../r:institutions-covered/r:hei-id

(I leave it here in case others in the future struggle to find this piece of information.)