Authentication and DataLink

alberto micol amicol.ivoa at googlemail.com
Mon Jan 20 19:21:34 CET 2020 

Hi Mark,

Very good question, at the right time for me, given that at ESO we are working on a datalink (and soda) that supports authentication.

My (yet poor) understanding is that the datalink_url will return a 401 with a WWW-Authenticate header field containing one or more challenges.
Isn’t that enough for TOPCAT to know what to do?

Thanks,
Alberto


> On 17. Jan 2020, at 14:55, Mark Taylor <M.B.Taylor at bristol.ac.uk> wrote:
> 
> Hi GWS (and maybe lurking DAL people),
> 
> I have a question about how authentication is supposed to work
> with DataLink (and possibly similar services), related to some 
> experimentation I'm doing with the Gaia archive.
> 
> In Gaia's case there is an authenticated TAP service, which returns tables
> that may have a datalink_url column pointing at DataLink resources.
> The DataLink resources themselves also require authenticated access.
> As currently implemented, the Gaia service requires *different*
> credentials (separate cookies) for the TAP and DataLink services,
> though even if the authentication was the same I see difficulties.
> 
> My prototype auth-capable TOPCAT negotiates authentication when
> the user chooses a TAP service: it finds out what auth methods
> are available from the tap/capabilities file, offers that choice
> to the user, and asks for credentials as appropriate.  It then
> takes care to use these credentials for subsequent interactions
> with that TAP service.  There are a few things to iron out still,
> but the basic model can be made to work.
> 
> However, DataLink, at least as used from TOPCAT, isn't like that.
> The user doesn't select a DataLink service from a list and then
> declare that they want to start interacting with it.
> Rather a URL that points at a DataLink service gets used as a
> source of tables in some other context.  Typical usage:
> the user configures an "activation action" that causes the
> table referenced by the datalink_url column to get loaded into
> TOPCAT when a table row is selected
> (http://www.starlink.ac.uk/topcat/sun253/LoadTableActivationType.html).
> In this case, as far as TOPCAT's concerned this is just a URL pointing
> at a table, and it doesn't know either that it's from a DataLink service 
> or that it's associated with given TAP service (with particular 
> authentication).  So it doesn't know what authentication to use, 
> or even that it is supposed to retrieve it using authenticated access 
> (until it gets an access error).
> 
> This problem has only recently occurred to me.  I have some half-baked
> ideas about how to tackle it, but they all seem problematic.
> I might be missing something obvious.  Is there somebody with a clear
> idea of how they would expect this to work, in particular from a
> user experience point of view?
> 
> Thanks
> 
> Mark
> 
> --
> Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
> m.b.taylor at bris.ac.uk +44-117-9288776  http://www.star.bris.ac.uk/~mbt/

More information about the grid mailing list