From 4440ce926b2a3b4cdbb64732bd4059edb3b11d77 Mon Sep 17 00:00:00 2001 From: Michiel de Jong Date: Tue, 3 Sep 2024 14:44:23 +0200 Subject: [PATCH] httpsig and short-lived bearer tokens as alternative to sharedSecret (#98) * OAuth code as alternative to sharedSecret This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound * whitespace * typo * GNAP instead of OAuth 2.0 Authorization Code flow GNAP is more appropriate here because it makes way less assumptions about the interaction (in particular it doesn't assume the use of browser redirects) * camel case * simplify from GNAP to httpsig+bearer * clarify language * `/token` --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index c90e931..c039782 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,9 @@ In response to a share creation, the receiving server MAY send back a [notificat To access a share, the receiving server MAY use multiple ways, depending on the received payload and on the `protocol.name` property: * If `protocol.name` = `multi`, the receiver MUST make a HTTP PROPFIND request to `protocol.webdav.uri` to access the remote share. If `protocol.webdav.sharedSecret` is not empty, the receiver MUST pass it as a `Authorization: bearer` header. +Otherwise, if `protocol.webdav.code` is not empty, the receiver SHOULD discover the sender's OCM endpoint and make a signed POST request to `/token`, to exchange +the code for a short-lived bearer token, +and then use that bearer token to access the remote share. * If `protocol.name` = `webdav`, the receiver SHOULD inspect the `protocol.options` property. If it contains a `sharedSecret`, as in the [legacy example](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1shares/post), then the receiver SHOULD make a HTTP PROPFIND request to `https://:@`, where `` is the remote server, and `` is obtained by querying the [Discovery](#discovery) endpoint at the remote server and getting `resourceTypes[0].protocols.webdav`. Note that this access method is _deprecated_ and may be removed in a future release of the Protocol.