search

openEHR / specifications-ITS-REST

openEHR REST API Specifications
https://specifications.openehr.org/releases/ITS-REST/latest
Apache License 2.0
18 stars 15 forks source link

Clarify if Basic Authentication should be implemented or not. #58

Closed serefarikan closed 6 years ago

serefarikan commented 6 years ago

The latest version of spec uses the following wording under Authorisation and Authentication section:

Services SHOULD implement and support a HTTP Authentication and Authorization framework. See RFC 7235 or Mozilla’s HTTP Authentication for more details on this subject.

This makes me think I should implement basic auth. Discussions in the slack channel imply that this is not necessarily the case. Furthermore the spec makes the following statement:

Furthermore there is no assumption or recommendation being made in this specification about which authentication scheme should be used by services and clients.

which conflicts with the first excerpt above. Mentioning the implementation of an auth scheme with SHOULD , followed by a link regarding its details makes me think this should (notice the regular should here...) be implemented. If the spec is making no assumption, then why give the link to a specific auth scheme?

Please either clarify when/how it should be implemented or remove the part about http authentication, or at least the links to Basic Authentication (which is a specific scheme)

serefarikan commented 6 years ago

Based on the feedback on slack, I'd suggest the following rewording:

Services SHOULD implement and support a HTTP Authentication and Authorization framework (which can support various schemes) but there is no assumption or recommendation being made in this specification about which authentication scheme should be used by services and clients. See RFC 7235 or Mozilla’s HTTP Authentication for details on this subject. If an Authentication and Authorisation framework is present, services MUST properly use WWW-Authenticate and/or Proxy-Authenticate response headers and return HTTP status code 403 Forbidden or 401 Unauthorized or 407 Proxy Authentication whenever applicable, and clients MUST properly use Authorization and Proxy-Authorization in their request headers.

sebastian-iancu commented 6 years ago

Specs links are not referring specifically to a particular scheme - basic-auth scheme is RFC 7617, which is not explicitly stated. Protocol of schema negotiation between client and server is part of RFC 7235 and it should not be part of openEHR specs.

The intention of the original mentioned text was to state only that an auth scheme (any!) SHOULD be available to provide a certain security level to the openEHR services. The scheme itself is however not assumed (clients can anyway find out by firing requests on the service).

For conformance testing, if basic-auth is the way to go, then we should add it to the conformance specs as requirements - but REST Api should not be changed.