uniqueg
commented
2 years ago Overview of how this is done in other GA4GH APIs as of today (default branches, latest commits).
Summary
Here's a table highlighting commonalities/differences (see below for details on each API):
| API | Schemes | Work Stream | Applied globally | Applied per operation |
|---|---|---|---|---|
| TES (this PR) | Cloud | basic, bearer, passport | basic, bearer | N/A |
| WES | Cloud | N/A | N/A | N/A |
| DRS | Cloud | basic, bearer, passport | basic, bearer | passport (some operations) |
| TRS | Cloud | bearer | N/A | bearer (all operations) |
| Service Registry | Discovery | bearer | bearer | N/A |
| Service Info | Discovery | bearer | bearer | N/A |
In summary, there is little consistency across the individual specifications with regard to security scheme definitions. The proposed change for adding security schemes to the TES specification follows the definitions for the DRS specification, with the only exception that it does not apply the passport security scheme to any operations. Across the definitions listed, the only two that are completely identical (both in definitions and applications) are the ones from the Discovery Work Stream. The TRS security scheme definition is similar in spirit to those of the Service Registry and Info specifications, but uses the apiKey type rather than the http type with scheme bearer, probably as an artifact from a previous OpenAPI/Swagger 2.0-based definition, which did not support Bearer authentication explicitly. Probably the most relevant template for security scheme definitions in the TES specification would be the WES specification. However, WES currently does not specify security scheme definitions at all.
Details
WES, commit 33253aa
No security schemes defined/applied!
DRS, commit 4ae488e
Definition of security schemes:
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
description: |
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Basic ${token_string}"
BearerAuth:
type: http
scheme: bearer
description:
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Bearer ${token_string}"
PassportAuth:
type: http
scheme: bearer
x-in: body
bearerFormat: JWT
description:
A valid GA4GH Passport must be passed in the body of an HTTP POST request as a tokens[] array.Application of security schemes globally, i.e., to all operations:
security:
- {}
- BasicAuth: []
- BearerAuth: []Application of security schemes per operation (certain operations only: #1, #2):
security:
- PassportAuth: []TRS, commit 75a9ca3
Definition of security schemes:
components:
securitySchemes:
BEARER:
type: apiKey
name: Authorization
in: headerApplication of security schemes globally, i.e., to all operations:
No security schemes applied globally!
Application of security schemes per operation (applied to all operations, e.g., #1):
security:
- BEARER: []Service Registry, commit e0358db
Definition of security schemes:
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWTApplication of security schemes globally, i.e., to all operations:
security:
- bearerAuth: []Application of security schemes per operation (certain operations):
No security schemes applied for individual operations!
Service Info, commit 11d2c12
Definition of security schemes:
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWTApplication of security schemes globally, i.e., to all operations:
security:
- bearerAuth: []Application of security schemes per operation (certain operations):
No security schemes applied for individual operations!
Related issue: #151