|
| 1 | +# Transparency Exchange API - Authentication and authorization |
| 2 | + |
| 3 | +This document covers authentication and authorization on the consumer side |
| 4 | +of a TEA service - the discovery and download of software transparency artefacts. |
| 5 | + |
| 6 | +## Requirements |
| 7 | + |
| 8 | +__Authorization__: A user of a TEA service may get access to all objects (leaf, collections) and |
| 9 | +artefacts or just a subset, depending on the publisher of the data. Authorization is connected |
| 10 | +to __authentication__. |
| 11 | + |
| 12 | +The level of authorization is up to the implementer of the TEA implementation and the publisher, |
| 13 | +whether an identity gets access to all objects in a service or just a subset. |
| 14 | + |
| 15 | +In order to get interoperability between clients and servers implementing the protocol, the |
| 16 | +specification focuses on the authentication. After successful authentication, the authorization |
| 17 | +may be implemented in multiple ways - on various levels of the API - depending on what information |
| 18 | +the user can access. |
| 19 | + |
| 20 | +As an example, one implementation may publish all information about existing artefacts and software |
| 21 | +versions openly, but restrict access to artefacts to those that match the customers installation. |
| 22 | +Another implementation can implement a filter that does not show products and versions ("leafs") that |
| 23 | +the customer has not aquired. |
| 24 | + |
| 25 | +For most Open Source projects, implementing authentication - setting up accounts and managing |
| 26 | +authorization - does not make much sense, since the information is usually in the open any way. |
| 27 | + |
| 28 | +This specification does not impose any requirement on authentication on a TEA service. But should |
| 29 | +the provider implement authentication, two methods are supported in order to promote interoperability. |
| 30 | + |
| 31 | +* HTTP Bearer Token Authentication |
| 32 | +* Mutual TLS with verifiable client and server certificates |
| 33 | + |
| 34 | +A client may use both HTTP bearer token auth and TLS client certificates |
| 35 | +when accessing multiple TEA services. It is up to the service provider to select authentication. |
| 36 | + |
| 37 | +## HTTP bearer token auth |
| 38 | + |
| 39 | +The API will support HTTP bearer token in the __Authorization:__ http header. |
| 40 | +How the token is aquired is out of scope for this |
| 41 | +specification, as is the potential content of the token. |
| 42 | + |
| 43 | +As an example the token can be downloaded from a customer support portal with a long-term |
| 44 | +validity. This token is then installed into the software transparency platform (the TEA client) |
| 45 | +and used to automatically retrieve software transparency artefacts. |
| 46 | + |
| 47 | +For each TEA service, one bearer token is needed. The token itself (or the backend) should |
| 48 | +specify authorization for the token. |
| 49 | + |
| 50 | +## Mutual TLS |
| 51 | + |
| 52 | +For Mutual TLS the client certificates will be managed by the service and provided |
| 53 | +in a service-specific way. Clients should be able to configure a separate client certificate |
| 54 | +(and private key) on a per-service level, not assuming that a client certificate |
| 55 | +for one service is trusted anywhere else. |
| 56 | + |
| 57 | +## References |
| 58 | + |
| 59 | +* RFC 6750: The Oauth 2.0 Authorization Framework: Bearer Token |
| 60 | + Usage (https://www.rfc-editor.org/rfc/rfc6750) |
0 commit comments