Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Data API Authentication and Authorization #12

Open
1 task
leomrocha opened this issue Sep 22, 2020 · 1 comment
Open
1 task

Data API Authentication and Authorization #12

leomrocha opened this issue Sep 22, 2020 · 1 comment

Comments

@leomrocha
Copy link
Contributor

leomrocha commented Sep 22, 2020

Acceptance

  • Add simple authentication handling/validation (maybe JWT?)

Tasks

Analysis

Check also related issue #26
Refer to issue #7

@rufuspollock rufuspollock changed the title Data API Authentication Data API Authentication and Authorization Dec 2, 2020
@rufuspollock
Copy link
Member

@leomrocha

What i had been imagining here is that we'd integrate with https://github.com/datopian/ckanext-authz-service ...

Summary of the flow for client of the API

  • Make request to ckanext-authz authorize endpoint https://github.com/datopian/ckanext-authz-service#authorize
  • Make a request to the Data API using that token
    • Data API checks the token is valid in usual way (i.e. correctly assigned)
    • Checks that the scope allows access to resource sought (may need a bit of work to configure that against scopes that CKAN can authorize - note this relates to bigger idea that Data APIs are associated to Dataset (maybe resource) and inherit their permissions)
    • Converts that into a hasura type scope and passes that along to Hasura (or provides appropriate callback for Hasura)
  • Hasura: we don't use much of Hasura access control at this point https://hasura.io/docs/1.0/graphql/core/auth/index.html
    • We can keep identify and permissions very simple i.e. just 2 roles: viewer (read), editor (read, write) and then make sure that wrapper app passed through right auth header

Key points

  • The Data API operates as a standalone service so it needs to work off JWT or similar
  • It receives an authorization token from the user and checks that against that requested resource
  • For Hasura we can just have very simple permissions i.e. either you have read acces or write access or nothing https://hasura.io/docs/1.0/graphql/core/auth/authorization/index.html

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants