Conversation
OpenAPI version and reserved words transferred to the new document
OpenAPI version and reserved words transferred to the new document
replace Camara with CAMARA where possible
POST or GET transferred to the new document Content-type header transferred to the new document
POST or GET transferred to the new document Content-type header transferred to the new document
ToC updated
|
Filenames were updated to be more descriptive - PR description explains what is the purpose for each file. |
| - `GET /users?creationDate.gte=2020-01-01T00:00:00&creationDate.lte=2021-12-31T23:59:59` | ||
| - Search for users created between 2020 and 2021 | ||
|
|
||
| ## Security |
There was a problem hiding this comment.
Adding Section Numbers could increase readability.
|
|
||
| 1. **Simple Management**. | ||
| Securing only the APIs that need to be secure. Any time the more complex solution is made "unnecessarily", it is also likely to leave a hole. | ||
| 2. **HTTPs must be always used**. |
There was a problem hiding this comment.
Could make sense to say "for production installation" (i.e. separate staging / testing installations)
| Securing only the APIs that need to be secure. Any time the more complex solution is made "unnecessarily", it is also likely to leave a hole. | ||
| 2. **HTTPs must be always used**. | ||
| TLS ensures the confidentiality of the transported data and that the server's hostname matches the server's SSL certificate. | ||
| - If HTTP 2 is used to improve performance, you can even send multiple requests over a single connection, this way you will avoid the complete overhead of TCP and SSL on later requests. |
There was a problem hiding this comment.
Note, usage of HTTP1.1 persistent connections allows also sending multiple requests over the same TCP connection.
| ### Security definition | ||
|
|
||
| In general, all APIs must be secured to ensure who has access to what and for what purpose. | ||
| CAMARA uses OIDC and CIBA for authentication and consent collection and to determine whether the user has, |
There was a problem hiding this comment.
No OAuth Client Credentials?
| CAMARA uses OIDC and CIBA for authentication and consent collection and to determine whether the user has, | ||
| e.g. opted out of some API access. | ||
|
|
||
| The [Camara Security and Interoperability Profile](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose) defines that a single purpose is encoded in the list of scope values. The purpose values are defined by W3C Data Privacy Vocabulary as indicated in the [Profile](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose-as-a-scope). |
There was a problem hiding this comment.
Always?
What about APIs, where OAuth Client Credentials (i.e. no relation to personal data) can be used?
A purpose is only needed when accessing personal data.
| The name `openId` must be same as defined in the components.securitySchemes section. | ||
|
|
||
|
|
||
| ### Mandatory template for `info.description` in CAMARA API specs |
There was a problem hiding this comment.
Is this template applicable to 3-legged and also 2-legged tokens (aka also for Client Credential cases)?
|
|
||
| Security requirements of an API are expressed in OpenAPI through [Security Requirement Objects](https://spec.openapis.org/oas/v3.0.3#security-requirement-object). | ||
|
|
||
| The following is an example of how to use the `openId` security scheme defined above as described in [Use of security property](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#use-of-security-property): |
There was a problem hiding this comment.
Isnt it better to have the example in the Security & Interoperability Guideline?
|
|
||
| Using the GET operation to pass sensitive data potentially embeds this information in the URL | ||
| if contained in query or path parameters. | ||
| For example, this information can remain in browser history, could be visible to anyone who can read the URL, |
There was a problem hiding this comment.
...could be visible to anyone who can read the URL
When HTTPS / TLS is used, only authorized people can read the URLs, e.g. people with an admin password on the server.
| For example, this information can remain in browser history, could be visible to anyone who can read the URL, | |
| For example, this information can remain in browser history and could be visible to anyone who can read the browser history, |
| Using the GET operation to pass sensitive data potentially embeds this information in the URL | ||
| if contained in query or path parameters. | ||
| For example, this information can remain in browser history, could be visible to anyone who can read the URL, | ||
| or could be logged by elements along the route such as gateways and load balancers. |
There was a problem hiding this comment.
well, also headers and the body can be logged. However, logs are often limited to most essential info.
And, access to log files is often limited to admins, i.e. privileged users.
|
@tlohmar Thanks for your comments, some of them can be addressed by ICM, some of them can be subject to separate PR when we agree on the new document structure and content directly transferred from current guidelines document. |
PedroDiez
left a comment
There was a problem hiding this comment.
As a suggestion would recommend to user "hyphens" instead of "spaces" for file names
documentation/CAMARA API Event Subscription and Notification.md
Outdated
Show resolved
Hide resolved
Some additional sections from chapter 3, 4, 11 transferred to the new document
New version with changed struscture, added content and ToC
…de.md file name without spaces
|
|
||
| #### 5.5.1. api-name | ||
|
|
||
| `api-name` is what is specified as the base path, prior to the API version, in the `servers[*].url` property. |
There was a problem hiding this comment.
Is it ok, when the api-name string includes a forward slash (e.g. /location/verification/v0) (as /api-name/api-version)?
When not, I suggest to add a statement, that the forward slash character is not allowed.
There was a problem hiding this comment.
api-name in the example is location-verification and it is stated below it should be "kebab-case string" so other special characters beside "dash" are not allowed.
…o CAMARA-API-Event-Subscription-and-Notification.md Formated and restructured, ToC added
|
The work will continue in PR #441 |
What type of PR is this?
What this PR does / why we need it:
Working documents for cleanup of API Design Guidelines.
The initial issue: #306
Which issue(s) this PR fixes:
Fixes
Does this PR introduce a breaking change?
Special notes for reviewers:
For further discussion: initially we need to verify if all requirements are covered by new documents.