From 9b52bc2eb84b5257f30840b5fec82add93d549b0 Mon Sep 17 00:00:00 2001 From: Alex Kanitz Date: Wed, 4 Oct 2023 01:05:01 -0700 Subject: [PATCH 1/2] auth: mandate JWT bearer token auth --- openapi/task_execution_service.openapi.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/openapi/task_execution_service.openapi.yaml b/openapi/task_execution_service.openapi.yaml index 8cf520c..d70bf2f 100644 --- a/openapi/task_execution_service.openapi.yaml +++ b/openapi/task_execution_service.openapi.yaml @@ -66,6 +66,8 @@ info: servers: - url: /ga4gh/tes/v1 +security: + - bearerAuth: [] paths: /service-info: get: @@ -246,6 +248,22 @@ paths: schema: $ref: '#/components/schemas/tesCancelTaskResponse' components: + securitySchemes: + bearerAuth: + type: http + scheme: bearer + bearerFormat: JWT + description: |- + To access a resource to which this security scheme is applied, a valid JSON + JSON Web Token (RFC7519) MUST be passed as a bearer token (RFC6750) in the + 'Authorization' request header, i.e., `Authorization: Bearer `. If + the header is missing or malformed, or if the token is invalid, servers MUST + deny the request with a `401 Unauthorized` response. + + Individual TES instances are encouraged to reference information on token + requirements and how a valid token can be obtained in the + `GET /service-info` response. + parameters: view: name: view From cdcee6dff37dac6b381c63bfd8746f9db58a507e Mon Sep 17 00:00:00 2001 From: Alex Kanitz Date: Wed, 4 Oct 2023 01:33:09 -0700 Subject: [PATCH 2/2] auth: update AuthN/AuthZ documentation --- openapi/task_execution_service.openapi.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/openapi/task_execution_service.openapi.yaml b/openapi/task_execution_service.openapi.yaml index d70bf2f..e280187 100644 --- a/openapi/task_execution_service.openapi.yaml +++ b/openapi/task_execution_service.openapi.yaml @@ -49,14 +49,12 @@ info: ### Authentication and Authorization - Is is envisaged that most TES API instances will require users to authenticate to use the endpoints. - However, the decision if authentication is required should be taken by TES API implementers. + Implementers are required to implement the authentication schemes defined in + `components.securitySchemes`, but they are free to define and implement + additional schemes as per their requirements. - - If authentication is required, we recommend that TES implementations use an OAuth2 bearer token, although they can choose other mechanisms if appropriate. - - - Checking that a user is authorized to submit TES requests is a responsibility of TES implementations. + Checking that a user is authorized to submit TES requests is the responsibility + of each implementation. ### CORS