-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove empty security scheme #204
Comments
@AxelNennker the notification-as-cloud-event.yaml is the helper artifact that shows how the notification receiver can be implemented by API Consumer. I think, the empty security scheme is added deliberately here , as it is up to API Consumer what security scheme he uses for receiving notifications. I propose to close this issue or transform it to improve the description to clarify the security of |
As I said, I think no Camara API should have no-security.
I don't understand. It is for the API subgroup to decide which security is implemented and THEN the client can choose if there are multiple.
The current "recommendation" here is:
Maybe there should be an new issue on the security schemes?
Please clarify. Ceterum censeo |
Maybe I am misunderstanding this completely and your intention is
|
I was/am thinking along the lines of CIBA. The client requests to receive notifications and sends an register-for-notifications event authenticated by some client authentication. Then when the event happens the telco sends the notification to the client's endpoint. Anyway, some clarification is needed. |
@AxelNennker It looks that guidelines changes in PR #198 clarify the security of notifications. |
The fact of indicating empty security is deliberate in order to not force an API consumer to provide a security mechanism. security:
- notificationsBearerAuth: []
- {} In case it provides one security mechanism, it is up to the API consumer its generation. So the "notificationsBearerAuth" schema. This issue opens several points: (that we will need to discuss)
|
Specifying the need for "something-something-bearer-token" is not enough, I think. Camara is the source and, as currently specified, needs to send the authorization that is the bearer token. I assume Carama does not want to become a client to the API Cosumer's AZ which would be one option to retrieve an access token that is then send as a bearer token. Nobody should setup an endpoint with no security. See e.g. Zero Trust Some might have the view "What should Camara care if the API consumer not protected?" I say that we must care and we should not send notifications from telco/Camara systems to some insecure system. What are the options?
|
Discussion is fair, however we need to agree first in which direction we move on and, if we have room and agree to address within Meta-Release Fall24. Currently, we as "CAMARA" allow the "API Consumer" endpoint to be optionally protected, and in case it is protected, API Consumer indicates within "notificationAuthToken" (what it would be sinkCredential concept, ACCESSTOKEN type)
|
Please see my comment #198 (comment) It is not in Camara's interest to ignore the security of the API consumer. |
Please see #198 (comment) I think the empty security scheme should be removed and the guideline should not suggest to API consumers that "credentials are not needed". |
When the notification structure was being developed in Quality on Demand, the original proposal was to "force" the API consumer to specify a "token" (an arbitrary string), which would be included in an But the objection was raised that we shouldn't pretend it was a bearer token if it was not, and hence the explicit option to have "no security" (notifications are always sent using TLS, of course) was included. This also slightly reduces the size of the notification, as no Of course, the API consumer could still provide a fake token if they wished. So, by removing the "no security" option (and assuming that the very same objection was not raised again), we would be back to that being the only option for API consumers who do not want to validate the token in any notifications. I don't mind that, though I don't see what is really being achieved, other than to inconvenience the API consumer slightly more by forcing them to specify a fake token they then ignore rather than none at all. And we would need to improve the documentation, as giving the impression that we require the API consumer to maintain an OAuth server in order to receive notifications (even though not true) would put many off using CAMARA APIs. |
The key point here is that, if we agree from Commonalities point of view that Notifications MUST be secured, then we are implicitly saying that the API consumer has to provide that token when creating the subscription (instance-based or resource-based) cc @jlurien |
Problem description
In OAI
{}
denotes empty security.From the spec:
From notification-as-cloud-event.yaml
Expected behavior
No Camara API should have empty security.
Alternative solution
Remove empty security from all Camara yaml files, esspecially those in Commonalities.
notification-as-cloud-event.yaml
The text was updated successfully, but these errors were encountered: