Include OIDC securityScheme, format scopes and add x-correlator header #53
Conversation
fernandopradocabrillo
requested a review
from DT-DawidWroblewski
as a code owner
… into update-yaml-and-commonalities-sync
|
@bigludo7 I updated the PR after the merge of the documentation PR. Now it is synchronized with the documentation. Please approve again since it has been dismissed automatically 😄 |
There was a problem hiding this comment.
To have a base release within this repository, I propose to create an (alpha) release v0.4.1 of the current content in main before this PR will be merged and you continue with v0.5.0-wip. This also as some companies are want to start implemantation on a release version, knowing that they have to adapt the security schema and other points later.
|
In addition the same comment as in camaraproject/NumberVerification#60 (review) ... in my view X-Correlator does not need to be defined within the OAS here. |
|
According to the discussion within #55 I agreee that this PR might need to be discussed and merged before a first release of this repo can be produced. Unfortunately this PR is addressing two different issues which have unrelated discussions. I would recommend to reduce the scope of this PR to securityScheme and format scopes, but carve the X-Correlator discussion out into a separate PR later. That will allow that the discussion of in #49 will not block the PR (and in consequence a first release). |
@hdamker Sure, I will remove the x-correlator from this PR and open a new one so we only have the securitySchemes and scopes changes here |
|
I might be missing something here, but why does this version of the API still require the MSISDN (phone number) to be passed in the |
@eric-murray I also think it should be removed. My idea was to first solve the authorization topic and the create an issue and a PR to remove it, since the new version is still going to be on wip until we go for a release. Step by step 😄 |
|
Thanks @fernandopradocabrillo for the prompt response. So I understand that removing this parameter will be discussed in a later step. So now I'm no longer confused! Many thanks. |
This was discussed earlier, when both client credentials and 3-legged where considered. Simply to keep payload auth independent. However, if 3-legged will be the only auth method, MSISDN in the input becomes redundant. MSISDN is declared as a sensitive information, this leads to special handling (like putting it into header to reduce risk of occasional leakage). From this point of view, removing MSISDN from the payload completely is the best protection. BUT, we should not postpone this step for a long time - removing MSISDN is a not backward compatible change. |
|
@gregory1g @eric-murray |
@hdamker |
|
@DT-DawidWroblewski |
@eric-murray This PR seems to be going in that direction: camaraproject/Commonalities#57 |
|
Thanks @fernandopradocabrillo. In the absence of meeting minutes, I shall wait to see if this PR is approved and merged in its current state. |
|
Hi @eric-murray ! you can find MoMs in dedicated branch, here: I was asked to make a clean-up and add MoMs to main branch, so I'll do it later this week. |
code/API_definitions/sim_swap.yaml
Outdated
| @@ -42,7 +49,7 @@ info: | |||
| license: | |||
| name: Apache 2.0 | |||
| url: https://www.apache.org/licenses/LICENSE-2.0.html | |||
| version: 0.4.1 | |||
| version: 0.8.0 | |||
There was a problem hiding this comment.
As long as you hadn't the interim versions like 0.5.0, please don't jump here for marketing reason. 0.8.0 is not nearer to v1.0 then any other 0.x version (and please remind that after v0.9.0 there is v0.10.0, not automatically v1.0).
There was a problem hiding this comment.
got it - as long as we can converge towards release, version is not an issue
There was a problem hiding this comment.
we stick to 0.5.0-wip as we're changing securityScheme based on consensus we reached on last meeting
There was a problem hiding this comment.
@hdamker
This comment has been addressed, can you remove the change request to merge the PR? Thanks!
There was a problem hiding this comment.
@fernandopradocabrillo yes, this is addressed.
|
@bigludo7 can you please review changes, so we can merge them and create a release version? thx! |
code/API_definitions/sim_swap.yaml
Outdated
| @@ -30,6 +30,13 @@ info: | |||
|
|
|||
| - POST check: Checks if SIM swap has been performed during a past period (defined in the request with 'maxAge' attribute) for a given phone number. | |||
|
|
|||
| The API supports 2 security security schemes: | |||
|
|
|||
| - clientCredentials | |||
There was a problem hiding this comment.
@bigludo7 @DT-DawidWroblewski @eric-murray
On this topic (at the risk of sounding repetitive) there is no agreement yet..
I understand the need to provide a release version, which I completely agree with, but it is a complicated issue that involves conversations in other WG at different levels.
In my opinion, we should release a version with the securitySchemes agreed (OpenId) and open a new PR to provide more information in the yaml description if that is decission on commonalities.
There was a problem hiding this comment.
We agreed on our last sub-group meeting to have openIdConnect security scheme with well-known, where developer derives available security schemes. Additionaly, we provide information about available security schemes in description.
Alternatively, we can leave our agreement and simply create a release version based on existing API description that explicitly covers clientCredentials & three-legged-token, but that is against our consensus.
I suggest to continue with this PR and open a new one, that observes the outcome from other WGs.
Otherwise, we cannot converge towards release version...
There was a problem hiding this comment.
Hi @DT-DawidWroblewski !
My comment is mainly focused on the main issue we are dealing with here. We cannot explicitly say that we support client credentials because that is not what has been agreed. And this is a discussion that unfortunately we cannot have in the subgroup and decide unilaterally, it has to be agreed in I&C and Commonalities.
In order to proceed with the release, including the OpenId securityScheme allows us to unlock this issue by delegating this decision to the I&C discussion and revisit it in the future if there is a new agreement.
There was a problem hiding this comment.
We agreed that we want to give developer a hint what security schemes are available for SimSwap API, if a particular Auth Server has such capabilities. Can you suggest a place in yaml where we can add this? Thx!
There was a problem hiding this comment.
@DT-DawidWroblewski @fernandopradocabrillo I'm bit lost now.
Can you suggest a place in yaml where we can add this?
If we use open id as described for example here https://swagger.io/docs/specification/authentication/openid-connect-discovery/ the objective is to not mix authorization and API yaml definition.
But @DT-DawidWroblewski I understood that it will not prevent you to use client credential as long as it is defined in the https://server.com/.well-known/openid-configuration file.
If we have in the yaml both openId & client credential listed that will be confusing no ?
There was a problem hiding this comment.
I saw a comment inside Id&C working group. In order to be compliant with OAS, we should explicitly state both security schemes.
If we don't want to follow the consensus we made during a meeting, I suggest waiting until Issue #57 inside Id&C working group is closed.
|
Hi @fernandopradocabrillo @bigludo7 ! I updated API description according to recent OGW suggestion. Please review/approve PR, so we can merge it and create release version. Thx! |
@DT-DawidWroblewski I'm not sure about the version change, we are already in the 0.4.1, I don't think we can go now for a 0.4.1-wip. I think it is best to continue to a 0.5.0 and make the release in that version. We don't have anything else new on the table right now I believe. |
|
@fernandopradocabrillo @DT-DawidWroblewski |
|
Ok - I think that v0.5.0 makes sense :) I'll update accordingly... |
|
@fernandopradocabrillo @bigludo7 please review |
| retrieve-sim-swap-date: retrieveSimSwapDate operation | ||
| openId: | ||
| type: openIdConnect | ||
| openIdConnectUrl: https://example.com/.well-known/openid-configuration |
There was a problem hiding this comment.
I know this is currently a WIP but, given the existence of extension grants, the .well-known/openid-configuration could include any grant type that has a defined urn. Could we not give some guidance to those looking to implement this via a description documenting what grant types they might find in openid-configuration for this API and which they won't?
Or is that just too controversial at the moment?
There was a problem hiding this comment.
For the moment it's been agreed to not indicate further information inside the yaml. I think there are further details regarding this in the I&C workgroup.
There was a problem hiding this comment.
Can you point me to the agreement that says YAMLs must not say anything about what security schemes are applicable for that API?
There was a problem hiding this comment.
I'm checking with my collegues and it seems I wasn't align with the final decisions on this topic and all the details. I'm sorry for the misunderstanding. From TEF we are align with what was decided in the TSC.
Would it be okey to merge this PR with the schemes and continue with the discussion of appropiate wording/way to put this information in a different issue?
It seems that this is something that affects all apis and we should document in the same way for all apis.
There was a problem hiding this comment.
OK, let's return to this topic later. It needs to be resolved before any release.
LGTM I can't approve because it's my PR but it's fine from my side :) |
There was a problem hiding this comment.
Approval to remove my change request which was not related to topic at hand.
But there is the need to revist the documentation towards developers before a release of the API as stated multiple times above in comments, latest by @eric-murray in #53
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
Sources for points 1 and 2:
* Commonalities Issue: camaraproject/Commonalities#53
* Identity and Consent Issue: camaraproject/IdentityAndConsentManagement#57
* Commonalities PR: camaraproject/Commonalities#57
Which issue(s) this PR fixes:
Fixes (#49) Add x-correlator as header attribute
Special notes for reviewers:
Notice that the documentation is still not update, once we merge the documentation PR (#52) I'll sync this one
Changelog input
N/A
Additional documentation
N/A