Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As Italian Ministry of Transportation I would like to access the SIRI end-point with a certain authentication mechanism #7

Open
rcavaliere opened this issue Aug 14, 2024 · 8 comments
Open

As Italian Ministry of Transportation I would like to access the SIRI end-point with a certain authentication mechanism #7

rcavaliere opened this issue Aug 14, 2024 · 8 comments
Assignees
@clezag

Comments

@rcavaliere
Copy link
Member

rcavaliere commented Aug 14, 2024
edited
Loading

The request is to implement the mechanism described in the attached documentation, according to the AGID specification (?).

My suggestion is of course to implement within our Keycloack instance, since this mechanism seems to me identical to what we foresee in case of closed data access.

On the other side I would suggest that our SIRI end-points are also freely available without authentication.

In other words:

  • End-point 1 with authentication: to be used with Italian Ministry and other relevant national MaaS stakeholders
  • End-point 2 without authentication: our reference SIRI end-point, to be used in general for our communication with the Open Data Hub community

Please also @ohnewein give a feedback to this strategy.
Please give priority to this since we were asked at latest at the beginning of September to have this implemented.

DSSRF-Autorizzazione-APISF-v1.1-signed_signed.pdf
@ohnewein
Copy link
Member

Would it be possible to expose a single end-point, which allows the client to authenticate as an optional feature?

In this way clients who are part of the MaaS cooperation can authenticate and have the operations logged, and other clients can just stay unauthenticated.

Would that be an option to reduce end-points?

@rcavaliere
Copy link
Member Author

@ohnewein if possible yes! @clezag do you think this is feasible?

@clezag clezag transferred this issue from noi-techpark/odh-api-core Aug 14, 2024
@clezag
Copy link
Member

clezag commented Aug 14, 2024

@rcavaliere @ohnewein
I've had a glance at the document, and it looks like standard OIDC, so exactly what we are doing already with Keycloak on our APIs.

I don't see any need to have multiple endpoints. Like with our own APIs (ninja, tourism) you can call with or without a token.

So from a technical point of view, I would simply not implement anything, and let them pass a token if they want to. It will be ignored, they will get the same response as passing no token would. If they really, really want, we can validate the token and give an error in case it's invalid, to POC the whole thing.

What's more concerning to me is that I would avoid using our own Keycloak to manage this, just because right now it is urgent and we have something ready to go. In the document it says that in the future MAAS operators will be able to register on their own etc., which would mean that we, as NOI Techpark would have to manage, maintain and support requests from MAAS operators, that IMO should go to STA or the province.
But this is a strategical decision you have to make.

@rcavaliere
Copy link
Member Author

@clezag our Keycloack will just be used for or Open Data Hub end-point, nothing more. So, no concern about this!
As already shared on other channels, let's go in that way, i.e. 3rd parties can access the resource with or without token, in all cases they get the complete response.

@clezag
Copy link
Member

clezag commented Aug 14, 2024

@rcavaliere not sure I understood this.
Do we still have to create a credential pair on our keycloak for them, or will that be handled by STA?

I assume that STA proxies the NAP request to our endpoint.
So really, it should be STA giving them the credentials and letting them request the token from their own OIDC (Keycloak) server.
We would then validate the token against the STA server, or do some kind of Federation (not a Keycloak expert).
If in the future there are other SIRI endpoint (in addition FM, let's say SX) that are not handled by us, the MAAS operator would have to use separate credentials requested from separate servers between say FM and PT endpoints.
Ideally they request a token once from a STA keycloak, and then use that single token to call all SIRI endpoints.

But I understand that if STA does not have the infrastructure and we need it now, we can use our Keycloak. I'm just sharing my concerns. Let me know if you want me to create a credential pair, and I'll send it to you

@rcavaliere
Copy link
Member Author

@clezag no, we have multiple end-points, so I imagine to have two different credentials for accessing the STA end-point and our end-points. Does the Ministry want to have complexity? Let's give it to them :-)
So let's just consider on our part, STA will manage its part. Take in consideration that theoretically only the national MaaS platform will access our end-points, the MaaS Operators will then use the national MaaS platform to get our data.
I say theoretically because it's much more likely that they will use our API, without authentication...

@clezag
Copy link
Member

clezag commented Aug 20, 2024

@rcavaliere did you get any feedback on the credentials I sent you?

@rcavaliere
Copy link
Member Author

@clezag not yet, but I think should be OK. I will let you know when we have a more consolidated feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clezag clezag

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ohnewein @rcavaliere @clezag