-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Access and User Consent document #182
Conversation
Hi @chrishowell |
@chrishowell @AxelNennker This is a great contribution, thank you Chris! On the other hand, I've labeled the PR with
|
Thanks for reviewing :) it's a bit difficult to split this into multiple PRs as the 'better English' comes with using defined terms.. |
@chrishowell As discussed by the team in yesterday's WG call, in order to move things forward, could you split the content of this PR into three:
|
FYI @chrishowell @AxelNennker @sebdewet This PR is now split into:
We may think of closing this PR and finishing the work in the others. |
@sebdewet @AxelNennker It's ok with you if I close this PR after the split? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the changes, but there seems to be a lot of capitalization of nouns, which are not proper nouns. I highlighted a few in this review, but didn't go through all of them.
|
||
The document covers aspects regarding CAMARA APIs access and the user consent management, which includes following concepts: | ||
This document defines guidelines for the Operator's API Exposure Platform to manage CAMARA API access and when applicable, User Consent to comply with data protection requirements, and it introduces the formal concept of Purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This document defines guidelines for the Operator's API Exposure Platform to manage CAMARA API access and when applicable, User Consent to comply with data protection requirements, and it introduces the formal concept of Purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations. | |
This document defines guidelines for the operator's API exposure platform to manage CAMARA API access and when applicable, user consent to comply with data protection requirements, and it introduces the formal concept of purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations. |
Some of this capitalization doesn't seem necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RandyLevensalor
The capitalisation is intentional - it means the term has been defined elsewhere in the document (in this case, in the glossary section, though that itself is being updated in PR #212).
When capitalised in this way, it means the document is intentionally using the defined term, and this hopefully prevents others interpreting the term in a different way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly, thanks @eric-murray. @RandyLevensalor As mentioned in #182 (comment), this PR #182 has been split into three PRs with the same changes for ease of handling. This PR should be closed and we can agree the necessary adjustments to the others.
This document includes following concepts: | ||
- User identity, and how to identify the User. | ||
- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs. | ||
- How Purpose applies to CAMARA APIs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- How Purpose applies to CAMARA APIs. | |
- How purpose applies to CAMARA APIs. |
Not sure why "Purpose" is capitalized.
- User identity, and how to identify the User. | ||
- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs. | ||
- How Purpose applies to CAMARA APIs. | ||
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application. | |
- How to capture and store consent when required, without materially degrading the End-User's experience of an ASP's Application. |
Capitalization
- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs. | ||
- How Purpose applies to CAMARA APIs. | ||
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application. | ||
- Policy enforcement to validate the existence and/or validity of Consent before authorizing access to a CAMARA API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Policy enforcement to validate the existence and/or validity of Consent before authorizing access to a CAMARA API. | |
- Policy enforcement to validate the existence and/or validity of consent before authorizing access to a CAMARA API. |
### Applying purpose concept in the authorization request | ||
|
||
The mechanism for applying the concept of purpose in the authorization request in CAMARA is by using the standard `scope` parameter as defined in [Purpose as a scope](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose-as-a-scope) section of the CAMARA Security and Interoperability Profile. | ||
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs. | |
- `Aggregator`: the party that aggregates CAMARA APIs exposed by operators, and exposes services that utilize these APIs to ASPs. An aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing operators' CAMARA APIs in an aggregated way, or an operator acting as an aggregator, i.e. an operator aggregating other operators' CAMARA APIs. |
|
||
The mechanism for applying the concept of purpose in the authorization request in CAMARA is by using the standard `scope` parameter as defined in [Purpose as a scope](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose-as-a-scope) section of the CAMARA Security and Interoperability Profile. | ||
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs. | ||
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway. | |
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and aggregators, providing authentication and authorization mechanisms, and End-User consent management. The API exposure platform typically consists of at least an Auth Server and an API gateway. |
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs. | ||
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway. | ||
- `Application` or `Application Backend`: the ASP's software services that access CAMARA APIs. | ||
- `Application Service Provider (ASP)`: the Legal Entity that provides the Application and/or services that consume CAMARA APIs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `Application Service Provider (ASP)`: the Legal Entity that provides the Application and/or services that consume CAMARA APIs. | |
- `Application Service Provider (ASP)`: the legal entity that provides the application and/or services that consume CAMARA APIs. |
…ms-and-defs PR #182 split - terms and definitions (part 1 of 3)
…ter-english PR #182 split - better english improvements (part 2 of 3)
…o-description-template PR #182 split - info.description template review (part 3 of 3)
What type of PR is this?
documentation
What this PR does / why we need it:
Defines terms and keeps them consistent throughout, improves clarity in English writing.
Which issue(s) this PR fixes:
#98
Special notes for reviewers:
Changelog input
Additional documentation