Azure/azure-rest-api-specs

[Cognitive Services Face API - Azure AI Vision Face API] API Review

azure-sdk opened this issue · 2 comments

New API Review meeting has been requested.

Service Name: Cognitive Services Face API - Azure AI Vision Face API
Review Created By: Nabil Lathiff
Review Date: 10/31/2024 04:00 PM PT
Release Plan: 1487
PR: #31023
Hero Scenarios Link: here
Core Concepts Doc Link: Not Provided

Description: Face Sessions provide an easier and faster way to enable developers to integrate the Face Frontend Client SDK into their application by solving two major problems with the service today:

  1. Face Sessions provide an authentication token for use on the end-user devices so that the Face Frontend Client SDK can talk to the developers Face API resource directly but for only the duration and limited scope of the Session. This addresses a blocking issue many of our customers have hit regarding our over permissioned authentication options (Subscription Key/Azure AD) that exist today. Without the option of Session Auth Tokens, developers have been left to implement their own man-in-the-middle solution that must collect biometric information from the clients and forwarding through their own backend service, and then on to the Azure Cognitive Services Face API service, a method which has proven to be very challenging to get right from both a technical and privacy standpoint.
  2. Face Session also provide the ability for Developers to audit the requests made to Face API by the client using the Session AuthToken. The developer can query the results of the session and audit all requests/responses by querying Face API using their Subscription Key/AAD auth token via a separate secure channel, a step critical for developers in trusting that clients did what it said it did. We’re working with the security team to create Digest’s for each request made by the Face Frontend Client SDK to the Face API service side so that message integrity can be validated using 3rd party channels (such as the Play Store Integrity and App Store Attest APIs) to ensure developers have options to validate the payload integrity was not compromised in transit.

Detailed meeting information and documents provided can be accessed here
For more information that will help prepare you for this review, the requirements, and office hours, visit the documentation here

Notes from API Review 10/31/2024

  • Interaction is very complex
    • We don't want to "hide" any APIs
  • Why have listSessions API? Don't include it if there is not a customer need for it
  • Should be using the standard operations and not using the AzureFoundations
  • Should version changes to model names
  • What's the purpose of "singlemodal" in the path ?
    • How about moving that into the request body
  • Should not use POST to create a session -- should use PUT
    • Do you support the repeatability headers?

I had to drop early so we may need a follow up meeting to cover the remaining content.

Adding the remaining notes from the first review meeting:

Image