[ODATA-301] Guidance around data authorization model and secure authenticated access to an OData Service - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: V4.0_CSD01
Fix Version/s: V4.0_CSD02
Component/s: Protocol
Labels:
None
Environment:

[Applied]

Proposal:

Hide

Publishers of services requiring authentication SHOULD consider supporting basic authentication over HTTPS and MAY support other authentication methods (highlight this fact in intermediate conformance level). Interoperable clients SHOULD be prepared to handle basic authentication.

Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations.

Accepted: https://www.oasis-open.org/committees/download.php/49125/odata-meeting-36_on-20130509-minutes.html#odata-301

Discussed and accepted: https://www.oasis-open.org/apps/org/workgroup/odata/download.php/49132/odata-meeting-36_on-20130509-minutes.html

Show
Publishers of services requiring authentication SHOULD consider supporting basic authentication over HTTPS and MAY support other authentication methods (highlight this fact in intermediate conformance level). Interoperable clients SHOULD be prepared to handle basic authentication. Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations. Accepted: https://www.oasis-open.org/committees/download.php/49125/odata-meeting-36_on-20130509-minutes.html#odata-301 Discussed and accepted: https://www.oasis-open.org/apps/org/workgroup/odata/download.php/49132/odata-meeting-36_on-20130509-minutes.html
Resolution:

Hide

https://www.oasis-open.org/committees/download.php/49206/odata-v4.0-wd02-part1-protocol-2013-05-16.docx

Accepted:https://www.oasis-open.org/committees/download.php/49212/odata-meeting-37_on-20130516-minutes.html#odata-301

Show
https://www.oasis-open.org/committees/download.php/49206/odata-v4.0-wd02-part1-protocol-2013-05-16.docx Accepted: https://www.oasis-open.org/committees/download.php/49212/odata-meeting-37_on-20130516-minutes.html#odata-301

Description

For interoperability it is highly desirable to define common minimum set of authentication methods, e.g. if a service requires authentication, it MUST accept basic authentication over HTTPS in addition to whatever else it chooses.

For data authorization we give guidance whether the data model may depend on the authenticated user, only the data content. It puts a higher burden on clients if properties or entity sets appear in or disappear from the model depending on the authenticated user, requiring to always first interpret $metadata, or if only the data content depends on it, i.e. entities show up or not, nullable properties appear to be null or contain confidential information.

Attachments

Activity

People

Assignee:

Ralf Handl

Reporter:

Ralf Handl

Watchers:

0 Start watching this issue

Dates

Created:

18/Mar/13 6:55 AM

Updated:

07/Aug/15 12:52 PM

Resolved:

16/May/13 5:08 PM