Support for GNAP
jricher opened this issue · 0 comments
Support for the GNAP draft specification would require the specification of the algorithms, key types, and required covered content for a signature. The following examples show what a possible syntax could look like for the new OAS security model proposed in OAI/OpenAPI-Specification#2582.
GNAP's access arrays are similar to RAR (#7) and the proofing section would need to reference other technologies like HTTP Signatures (#8)
This example shows how it could be defined for an example API using HTTP signature bound requests (and tokens) and a
components:
securitySchemes:
photoApi:
type: gnap
credentials:
- in: header
name: authorization
format: ^[G|g][N|a][A|a][P|p] (.*)$
config:
interact:
start:
- redirect
- user_code
finish: redirect
access:
- type: photo-api
actions:
- read
- write
- dolphin
locations:
- <api endpoint url>
datatypes:
- image
- metadata
- type: bank-api
actions:
- read
locations:
- <api endpoint url>
identifier: <account id>
datatypes:
- account
proof:
method: httpsig
alg: rsa-pss-sha512
keyid: <your key id here>
coveredComponents:
- @method
- content-digest
- content-type
- target-uri
requiredParameters:
- nonce
- createdAs I'm not sure how to show placeholder values, I'm using things like <your key id> here.
This proposed syntax is just one possible idea, and I'm looking for feedback on how this could be made to fit the OAS model better.
Addresses #6