Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add required security scheme and scopes #295

Merged
merged 10 commits into from
Jul 11, 2024
29 changes: 19 additions & 10 deletions code/API_definitions/qos-profiles.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ info:

How QoS profiles are mapped to connectivity characteristics are subject to agreements between the communication service provider and the API invoker. Within the CAMARA project, you can find a sample for such a mapping of QoS profiles. [CAMARA QoS Profiles Mapping Table (REFERENCE DRAFT)](https://github.com/camaraproject/QualityOnDemand/blob/main/documentation/API_documentation/QoSProfile_Mapping_Table.md)

# Authorization and Authentication

CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document [CAMARA-API-access-and-user-consent.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md). Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.
eric-murray marked this conversation as resolved.
Show resolved Hide resolved

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

# Further info and support

(FAQs will be added in a later version of the documentation)
Expand All @@ -26,20 +32,22 @@ info:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
version: wip

externalDocs:
description: Product documentation at Camara
url: https://github.com/camaraproject/
security:
- oAuth2ClientCredentials: []

servers:
- url: "{apiRoot}/qos-profiles/vwip"
variables:
apiRoot:
default: http://localhost:9091
description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath`

tags:
- name: QoS Profiles
description: Manage QoS Profiles

paths:
/qos-profiles:
get:
Expand All @@ -50,6 +58,9 @@ paths:
Returns all QoS Profiles that match the given criteria.
If no criteria is given, all QoS Profiles are returned.
operationId: getQosProfiles
security:
- openId:
- qos-profiles:qos-profiles:read
parameters:
- name: name
in: query
Expand Down Expand Up @@ -95,6 +106,9 @@ paths:
operationId: getQosProfile
description: |
Returns a QoS Profile that matches the given name.
security:
- openId:
- qos-profiles:qos-profiles:read
parameters:
- name: name
in: path
Expand Down Expand Up @@ -128,14 +142,9 @@ paths:

components:
securitySchemes:
oAuth2ClientCredentials:
hdamker marked this conversation as resolved.
Show resolved Hide resolved
description: |
The QoS Profiles API makes use of the OAUTH 2.0 client credentials grant which is applicable for server to server use cases involving trusted partners or clients without any protected user data involved. In this method the API invoker client is registered as a confidential client with an authorization grant type of client_credentials
type: oauth2
flows:
clientCredentials:
tokenUrl: https://api.example.com/oauth/token
scopes: {}
openId:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration

parameters:
x-correlator:
Expand Down
63 changes: 25 additions & 38 deletions code/API_definitions/quality-on-demand.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ info:

![QoD Management API](https://raw.githubusercontent.com/camaraproject/QualityOnDemand/main/documentation/API_documentation/resources/QoD_details.PNG)

# Authorization and Authentication

CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document [CAMARA-API-access-and-user-consent.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md). Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.
eric-murray marked this conversation as resolved.
Show resolved Hide resolved

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

# Further info and support

(FAQs will be added in a later version of the documentation)
Expand All @@ -65,20 +71,22 @@ info:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
version: wip

externalDocs:
description: Product documentation at Camara
url: https://github.com/camaraproject/
security:
- oAuth2ClientCredentials: []

servers:
- url: "{apiRoot}/quality-on-demand/vwip"
variables:
apiRoot:
default: http://localhost:9091
description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath`

tags:
- name: QoS Sessions
description: Manage QoS sessions

paths:
/sessions:
post:
Expand All @@ -103,6 +111,9 @@ paths:
for the same device and flow period they must release the session resources with an explicit `delete` operation if not yet automatically deleted.

operationId: createSession
security:
- openId:
- quality-on-demand:sessions:create
parameters:
- $ref: "#/components/parameters/x-correlator"
requestBody:
Expand Down Expand Up @@ -257,10 +268,6 @@ paths:
$ref: "#/components/responses/Generic501"
"503":
$ref: "#/components/responses/Generic503"
security:
- oAuth2ClientCredentials: []
- threeLegged:
- "qod-sessions-write"

/sessions/{sessionId}:
get:
Expand All @@ -269,6 +276,9 @@ paths:
summary: Get QoS session information
description: Querying for QoS session resource information details
operationId: getSession
security:
- openId:
- quality-on-demand:sessions:read
parameters:
- name: sessionId
in: path
Expand Down Expand Up @@ -304,10 +314,6 @@ paths:
$ref: "#/components/responses/Generic500"
"503":
$ref: "#/components/responses/Generic503"
security:
- oAuth2ClientCredentials: []
- threeLegged:
- "qod-sessions-read"

delete:
tags:
Expand All @@ -321,6 +327,9 @@ paths:
- `statusInfo` as `DELETE_REQUESTED`
There will be no notification event if the `qosStatus` was already `UNAVAILABLE`.
operationId: deleteSession
security:
- openId:
- quality-on-demand:sessions:delete
parameters:
- name: sessionId
in: path
Expand All @@ -347,10 +356,6 @@ paths:
$ref: "#/components/responses/Generic500"
"503":
$ref: "#/components/responses/Generic503"
security:
- oAuth2ClientCredentials: []
- threeLegged:
- "qod-sessions-delete"

/sessions/{sessionId}/extend:
post:
Expand All @@ -365,6 +370,9 @@ paths:
- Requested additional duration: 30,000 seconds
- New overall session duration: 50,000 seconds (the maximum allowed)
operationId: extendQosSessionDuration
security:
- openId:
- quality-on-demand:sessions:update
parameters:
- name: sessionId
in: path
Expand Down Expand Up @@ -422,38 +430,17 @@ paths:
$ref: "#/components/responses/Generic500"
"503":
$ref: "#/components/responses/Generic503"
security:
- oAuth2ClientCredentials: []
- threeLegged:
- "qod-sessions-write"

components:
securitySchemes:
oAuth2ClientCredentials:
description: |
The QoD API makes use of the OAUTH 2.0 client credentials grant which is applicable for server to server use cases involving trusted partners or clients without any protected user data involved. In this method the API invoker client is registered as a confidential client with an authorization grant type of client_credentials
type: oauth2
flows:
clientCredentials:
tokenUrl: https://api.example.com/oauth/token
scopes: {}
openId:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration
notificationsBearerAuth:
description: Bearer authentication for notifications
type: http
scheme: bearer
bearerFormat: "{$request.body#/webhook/notificationAuthToken}"
threeLegged:
type: oauth2
description: This API uses OAuth 2 with the authorization code grant flow.
flows:
authorizationCode:
authorizationUrl: https://api.example.com/oauth2/authorize
tokenUrl: https://api.example.com/oauth/token
scopes:
qod-sessions-read: Retrieval of QoS sessions
qod-sessions-write: Creation and update of QoS sessions
qod-sessions-delete: Deletion of QoS sessions
qod-profiles-read: Retrieval of QoS profiles

parameters:
x-correlator:
Expand Down