Open kellrott opened 2 years ago
Overview of how this is done in other GA4GH APIs as of today (default branches, latest commits).
Here's a table highlighting commonalities/differences (see below for details on each API):
API | Schemes | Work Stream | Applied globally | Applied per operation |
---|---|---|---|---|
TES (this PR) | Cloud | basic, bearer, passport | basic, bearer | N/A |
WES | Cloud | N/A | N/A | N/A |
DRS | Cloud | basic, bearer, passport | basic, bearer | passport (some operations) |
TRS | Cloud | bearer | N/A | bearer (all operations) |
Service Registry | Discovery | bearer | bearer | N/A |
Service Info | Discovery | bearer | bearer | N/A |
In summary, there is little consistency across the individual specifications with regard to security scheme definitions. The proposed change for adding security schemes to the TES specification follows the definitions for the DRS specification, with the only exception that it does not apply the passport security scheme to any operations. Across the definitions listed, the only two that are completely identical (both in definitions and applications) are the ones from the Discovery Work Stream. The TRS security scheme definition is similar in spirit to those of the Service Registry and Info specifications, but uses the apiKey
type rather than the http
type with scheme bearer
, probably as an artifact from a previous OpenAPI/Swagger 2.0-based definition, which did not support Bearer authentication explicitly. Probably the most relevant template for security scheme definitions in the TES specification would be the WES specification. However, WES currently does not specify security scheme definitions at all.
No security schemes defined/applied!
Definition of security schemes:
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
description: |
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Basic ${token_string}"
BearerAuth:
type: http
scheme: bearer
description:
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Bearer ${token_string}"
PassportAuth:
type: http
scheme: bearer
x-in: body
bearerFormat: JWT
description:
A valid GA4GH Passport must be passed in the body of an HTTP POST request as a tokens[] array.
Application of security schemes globally, i.e., to all operations:
security:
- {}
- BasicAuth: []
- BearerAuth: []
Application of security schemes per operation (certain operations only: #1, #2):
security:
- PassportAuth: []
Definition of security schemes:
components:
securitySchemes:
BEARER:
type: apiKey
name: Authorization
in: header
Application of security schemes globally, i.e., to all operations:
No security schemes applied globally!
Application of security schemes per operation (applied to all operations, e.g., #1):
security:
- BEARER: []
Definition of security schemes:
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
Application of security schemes globally, i.e., to all operations:
security:
- bearerAuth: []
Application of security schemes per operation (certain operations):
No security schemes applied for individual operations!
Definition of security schemes:
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
Application of security schemes globally, i.e., to all operations:
security:
- bearerAuth: []
Application of security schemes per operation (certain operations):
No security schemes applied for individual operations!
Related issue: #151