Open uniqueg opened 9 months ago
- While the TRS
securityScheme
is calledBEARER
, it actually mandatesapiKey
-based authentication; assuming that its name expresses its intention to be used equivalently to bearer token authentication, this is presumably a remnant from migrating the specification over from Swagger/OpenAPI 2.x, where bearer authentication was not explicitly supported with its own scheme
Very possible. The other part of the explanation is that the endpoints are default public. i.e. If a workflow is public, you don't need auth, you only need auth if the workflow is not public yet In other words, auth isn't heavily used yet AFAIK
We should probably fix the security scheme before it is
Good point @denis-yuen. Although it's probably still good practice to implement an authentication scheme in TRS implementations to better guard against, e.g., DDoS attacks. And as it is, as long as you define any security Scheme
in the specs and apply it, fully compliant implementations would have to support it. Which, for TES, is the main reason why we, or at least I, want to put it in. But your mileage may vary for TRS.
But if you wanna keep it in, I agree that it's probably a good idea to change it.
Problem
Currently, the TES API specification does not mandate implementers to require any authentication scheme. The specification merely mentions the following relevant paragraphs in its service description:
Arguably, any public API must be protected from abuse by authentication (and authorization) policies, especially when offering access to compute resources, so mandating an authentication policy is prudent.
Moreover, enforcing at least one common, widely used authentication policy required to be supported by all implementations makes it considerably easier to design systems/environments in which multiple TES implementations are used concurrently, e.g., in federated TES networks.
Overview
OpenAPI currently (version 3.x) supports the following authentication (or authorization) schemes:
Other GA4GH OpenAPI specifications define the following
securitySchemes
:bearerAuth:
type: http
scheme: bearer
BasicAuth:
type: http
scheme: basic
description: |
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Basic ${token_string}"
BearerAuth:
type: http
scheme: bearer
description:
A valid authorization token must be passed in the 'Authorization' header,
e.g. "Bearer ${token_string}"
PassportAuth:
type: http
scheme: bearer
x-in: body
bearerFormat: JWT
description:
A valid GA4GH Passport must be passed in the body of an HTTP POST request
as a tokens[] array.
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
BEARER:
type: apiKey
name: Authorization
in: header
Bearer token authentication seems to be the consensus for those API specifcations that do prescribe authentication schemes, with the following exceptions:
securityScheme
is calledBEARER
, it actually mandatesapiKey
-based authentication; assuming that its name expresses its intention to be used equivalently to bearer token authentication, this is presumably a remnant from migrating the specification over from Swagger/OpenAPI 2.x, where bearer authentication was not explicitly supported with its own schemeProposed solution
Mandate implementers to support JWT OAuth2 bearer tokens for authentication and apply it globally to all endpoints.
Alternative solutions