search

gbv / jskos-server

Web service to access JSKOS data
https://coli-conc.gbv.de/api/
MIT License
6 stars 4 forks source link

Configure which kind of authentication to use for which action #103

Closed stefandesu closed 4 years ago

stefandesu commented 4 years ago

Currently, it is basically only possible to enable or disable authentication for certain actions (via auth: true). Additionally, there are certain properties that affect the authentication (i.e. identities, and also ips which is in addition to the JWT authentication). In #97, I suggested supporting multiple authentication types which is basically already there (JWT and IP addresses), so this would be an addition to that. It needs to be very clear who can use which endpoint with which type of authentication.

This issue consists of three big parts:

nichtich commented 4 years ago

I thought IP addresses is on top of JWT authentification, no? We can have:

As discussed in #97, authentication could be extended to allow user tokens alternative to normal JWT. This does not require changes in configuration. Any arguments against supporting user tokens via Authentication: Bearer <token> as well? jskos-server only needs to check whether the token is a user token, whether it is valid and which user it belongs to, np?

stefandesu commented 4 years ago

I thought IP addresses is on top of JWT authentification

Yeah, it is on top on JWT authentication, that was my point. But reading your comments, I would suggest to change as little as possible and just provide a command line scripts for bots to get a JWT that they can use for authentication.

  • ips (not documented yet)

It is documented, but not yet merged. For the latest version, see the import-refactor branch where I apparently made some changes.