mobility-data-specification icon indicating copy to clipboard operation
mobility-data-specification copied to clipboard

Published 20 hours ago verified publisher icon openmobilityfoundation

Authorization Consistency Across MDS

Open schnuerle opened this issue 5 years ago • 2 comments

Is your feature request related to a problem? Please describe.

Currently each MDS API has its own descriptions of authorization methods and options.

Provider: Entire Auth.md page with JWT recommended

Agency: Authorization section that requires JWT

Policy: Authorization is not mentioned

Geography: Authorization section and bearer token language with public option

General Information: Authorization is not mentioned

Describe the solution you'd like

These disparate authorization descriptions should be consolidated across MDS and likely put into the General Information page with sections for JWT. The content from Provider could be a starting point, with additional subsections around optional JWT auth, public feeds, etc. Then each API can reference and link to the appropriate section consistently.

Is this a breaking change

  • I'm not sure

Impacted Spec

For which spec is this feature being requested?

  • agency
  • policy
  • provider

Describe alternatives you've considered

N/A

Additional context

This came up in a Working Group call on Oct 7 2020.

schnuerle avatar Oct 09 '20 20:10 schnuerle

I think this is a very good idea. Whenever we write this unified authentication information, we should also note that the current reference implementation makes certain assumptions about the claims in the JWT provided by clients to gate certain data (e.g. only certain clients are authorized to view unpublished policies).

janedotx avatar Jan 11 '21 19:01 janedotx

See notes from the WG call this week.

  • Not complex to fix, but a bit tedious
  • Max can volunteer to do PR at some point
  • Docs and organizing, not breaking or not, not changing
  • May identify areas for improvements along the way

schnuerle avatar Jan 15 '21 21:01 schnuerle

As part of the #506 #644 #796 work, authorization across MDS will be more consistent and clear.

Note to make sure as part of 2.0 work we also make sure Policy, Geography, and Jurisdiction is required to be public, as promised here: https://github.com/openmobilityfoundation/mobility-data-specification/blob/main/general-information.md#optional-authentication

schnuerle avatar Dec 19 '22 17:12 schnuerle

I've been meaning to work on this, based on extensive work on the Lacuna side that we're happy to share.

marie-x avatar Dec 22 '22 02:12 marie-x

That would be great to share what you are thinking. Seems like it would align well with the Agency/Provider work.

schnuerle avatar Dec 22 '22 23:12 schnuerle

Do you think this is resolved with #796 @marie-x ? If not we can move to future release or cleanup now when making release candidate.

schnuerle avatar Jan 09 '23 21:01 schnuerle

I haven't done the writeup yet. If we can get the reconciliation work done, then I can work on this. Else defer I think. Don't feel strongly either way.

marie-x avatar Jan 09 '23 21:01 marie-x

Complete with #835. If you have any recommended changes, leave a comment here for future inclusion during release review process.

schnuerle avatar Feb 08 '23 19:02 schnuerle