Clarify relationship between Transmitter and AS #245
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -217,21 +217,26 @@ All events MUST be signed using the `RS256` algorithm using a minimum of 2048-bi | |||||
| ## OAuth Service | ||||||
|
|
||||||
| ### Authorization Server | ||||||
|
|
||||||
| An OAuth {{RFC6749}} Authorization Server issues access tokens. In the context of this profile, the Authorization Server that issues access tokens can be a separate entity than the SSF Transmitter. | ||||||
|
|
||||||
| * The Authorization Server MAY distribute discovery metadata (such as the authorization endpoint) via Authorization Server Metadata as specified in [RFC8414]{{RFC8414}} | ||||||
| * The Authorization Server MUST support at least one of the following to issue a short-lived access token to the Receiver | ||||||
| - client credential grant flow {{RFC6749}} section 4.4 | ||||||
| - authorization code flow {{RFC6749}} section 4.1 | ||||||
|
|
||||||
| A short lived access token could be defined as one in which the value of the `exp` claim is not longer than 60 mins after `nbf` claim. Please refer to access token lifetimes in the security considerations of {{FAPI}} for additional considerations. | ||||||
|
|
||||||
| ### OAuth Scopes | ||||||
| Depending on the features supported by the OAuth service and the SSF APIs, the OAuth Client SHALL discover the OAuth scopes as follows: | ||||||
|
|
||||||
| 1. If the Resource Server, hosting SSF configuration APIs, supports OAuth Protected Resource Metadata {{OPRM}} then the client MUST obtain the required scopes by using it. | ||||||
|
|
||||||
| 2. If the Resource Server does not support {{OPRM}}, then the following scopes MUST be supported: | ||||||
| - An OAuth {{RFC6749}} Authorization Server that is used to issue tokens to SSF Receivers, MUST reserve the scopes for the SSF endpoints with the prefix of `ssf` | ||||||
| - All the SSF stream configuration management API operations MUST accept `ssf.manage` scope | ||||||
| - All the SSF stream configuration Read API operations MUST accept `ssf.read` scope | ||||||
| - Authorization Server MAY postfix scope names with more granular operations eg. `ssf.manage.create`, `ssf.manage.update` etc. | ||||||
| - Transmitter managed poll endpoint MAY support the postfix scopes in the same nomenclature as `ssf.manage.poll` | ||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. To align with the changes from #208 There was a problem hiding this comment. Why do you think this is a "SHOULD" versus a "MAY"? The reason we shouldn't have a SHOULD in this spec, is because we won't be able to determine if something is interoperable or not based on a "SHOULD". If it's a "MAY", it's just informational, and if it is a "MUST", then it can be tested for interoperability. There was a problem hiding this comment. Whatever gets decided, we should make sure #208 is fixed the same way as this |
||||||
|
|
||||||
| ### The SSF Transmitter as a Resource Server | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An OAuth {{RFC6749}} Authorization Server that issues access tokens. (the word "that" is missing there)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is an informational line describing what an OAuth AS is. i don't think that makes sense gramatically.
We could rephrase it to align with your thoughts here