The proposed change requires compliant TES implementations to implement JWT-based bearer token authentication.
This will make it easy for client applications to implement the popular OpenID Connect protocol to authenticate users and generate access tokens that could be used to give access to a varity of GA4GH API-backed microservices, following the OAuth2 framework.
As highlighted in the overview section of #198, bearer token authentication is also the current consensus across other GA4GH OpenAPI specifications that have defined at least one security scheme.
The suggestions to state JWT as the bearerFormat (which accepts arbitrary strings but mentions JWT in its documentation) and to describe the expected behavior explicitly were included to strongly encourage implementers to follow JWT OAuth2 bearer token specifications expressly.
Of course, each implementation can still choose to support any number of alternative, or additional, security schemes.
Closes #198
The proposed change requires compliant TES implementations to implement JWT-based bearer token authentication.
This will make it easy for client applications to implement the popular OpenID Connect protocol to authenticate users and generate access tokens that could be used to give access to a varity of GA4GH API-backed microservices, following the OAuth2 framework.
In fact, this is also the authentication/authorization flow suggested by the current GA4GH Authentication and Authorization Infrastructure guidelines.
As highlighted in the overview section of #198, bearer token authentication is also the current consensus across other GA4GH OpenAPI specifications that have defined at least one security scheme.
The suggestions to state
JWT
as thebearerFormat
(which accepts arbitrary strings but mentionsJWT
in its documentation) and to describe the expected behavior explicitly were included to strongly encourage implementers to follow JWT OAuth2 bearer token specifications expressly.Of course, each implementation can still choose to support any number of alternative, or additional, security schemes.
@MattMcL4475