-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
-
-
RHOAM Sprint 57, RHOAM Sprint 58, RHOAM Sprint 59, RHOAM Sprint 60
The resource server with the FAPI endpoints
- shall support the use of the HTTP GET method as in Section 4.3.1 of RFC7231;
- shall accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage RFC6750;
- shall not accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage RFC6750;
- shall verify that the access token is neither expired nor revoked;
- shall verify that the scope associated with the access token authorizes access to the resource it is representing;
- shall identify the associated entity to the access token;
- shall only return the resource identified by the combination of the entity implicit in the access and the granted scope and otherwise return errors as in Section 3.1 of RFC6750;
- shall encode the response in UTF-8 if applicable;
- shall send the Content-type HTTP header Content-Type: application/json if applicable;
- shall send the server date in HTTP Date header as in Section 7.1.1.2 of RFC7231;
- shall set the response header x-fapi-interaction-id to the value received from the corresponding FAPI client request header or to a RFC4122 UUID value if the request header was not provided to track the interaction, e.g., x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a;
- shall log the value of x-fapi-interaction-id in the log entry; and
- shall not reject requests with a x-fapi-customer-ip-address header containing a valid IPv4 or IPv6 address.
NOTE: While this document does not specify the exact method to obtain the entity associated with the access token and the granted scope, the protected resource can use OAuth Token Introspection RFC7662.
Further, the resource server - should support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable JavaScript clients to access the endpoint if it decides to provide access to JavaScript clients.
NOTE: Providing access to JavaScript clients has other security implications. Before supporting those clients RFC6819 should be consulted.
APIcast already support (1) (2) (3) (5) (6) (7) (8) (9) (10)
(4) is supported by Token Introspection policy
(14) is also supported by CORS policy
TODO:
[ ] 11 - Support x-fapi-interaction-id
[ ] 12 - Log the value of x-fapi-interaction-id in the log entry
[ ] 13 - Handle x-fapi-customer-ip-address header