Comments (2)
Based on the feedback on slack, I'd suggest the following rewording:
Services SHOULD implement and support a HTTP Authentication and Authorization framework (which can support various schemes) but there is no assumption or recommendation being made in this specification about which authentication scheme should be used by services and clients. See RFC 7235 or Mozilla’s HTTP Authentication for details on this subject.
If an Authentication and Authorisation framework is present, services MUST properly use WWW-Authenticate and/or Proxy-Authenticate response headers and return HTTP status code 403 Forbidden or 401 Unauthorized or 407 Proxy Authentication whenever applicable, and clients MUST properly use Authorization and Proxy-Authorization in their request headers.
from specifications-its-rest.
Specs links are not referring specifically to a particular scheme - basic-auth scheme is RFC 7617, which is not explicitly stated. Protocol of schema negotiation between client and server is part of RFC 7235 and it should not be part of openEHR specs.
The intention of the original mentioned text was to state only that an auth scheme (any!) SHOULD be available to provide a certain security level to the openEHR services. The scheme itself is however not assumed (clients can anyway find out by firing requests on the service).
For conformance testing, if basic-auth is the way to go, then we should add it to the conformance specs as requirements - but REST Api should not be changed.
from specifications-its-rest.
Related Issues (20)
- PUT composition - typo on no content request?
- Create EHR request defines invalid RM data for Ehr_Status HOT 5
- Clarify RM types for returned data when creating an EHR HOT 2
- Remove reference to deleted EHRs from description of Get EHR_STATUS version by time HOT 1
- Get Versioned_Ehr_Status description in REST api is inconsistent
- Clarify if ORIGINAL_VERSION can be returned where VERSION is expected HOT 1
- Incorrect contens for ORIGINAL_VERSION body contents
- Content-Type header in REST API calls should not be mandatory for empty content HOT 2
- Behaviour for use of composition uid's in POST requests needs clarification HOT 3
- REST: Behaviour of POST when COMPOSITION has a uid should be clarified HOT 2
- REST: Query specifications should reference Definitions HOT 1
- {preceding_version_uid} as path or header parameter? HOT 2
- Split template definition endpoints to adl1.4 one and adl2 one
- Add an undelete operation to the composition endpoint
- Example body for stored AQL query is incorrect.
- Remove version support for template endpoint for adl 1.4 HOT 12
- Documentation issue PUT Composition HOT 3
- Content-Type header in 204 Responses
- GET Template ADL 2 - small inconsistency
- Error on the development build process HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from specifications-its-rest.