motivation for SSO_Next custom www-authenticate: {auth-scheme}
Paul Harrison
paul.harrison at manchester.ac.uk
Mon Nov 18 16:46:29 CET 2024
> On 18 Nov 2024, at 15:17, Mark Taylor <m.b.taylor at bristol.ac.uk> wrote:
>
>>> - You might authenticate to make a TAP query, get a DataLink file,
>>> and save it for later use. When you re-load it the next day,
>>> your application no longer has the same authentication context,
>>> and attempting to follow access_urls in the DataLink table will
>>> give you 401s. You don't know which registered service is
>>> associated with the authentication required, but challenges
>>> in the 401 headers can tell you how to authenticate.
>>>
>> This is a more compelling reason on the face of it, but if you accept my initial premise that services should not be handing out datalink references to protected URLs outside their security domain, then this can also be solved by the datalink response containing the ivorn of the service that produced the datalink response.
>
> Where? As it stands the DataLink response table has no column
> for such an ivorn.
If the mechanism does not exist yet it could be added, but the service self description https://www.ivoa.net/documents/DataLink/20231215/REC-DataLink-1.1.html#tth_sEc4.4 would seem to be the place. The example shown does not have the IVORN as a parameter, but presumably it could. There is a bit of text in that section that says that the {links} capability is not registered (not entirely sure why, but I have felt for a while that datalink has not been able to decide if it is a service or just a response format), however, there could be an IVORN to the originating TAP service.
Paul.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/grid/attachments/20241118/b283892a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2893 bytes
Desc: not available
URL: <http://mail.ivoa.net/pipermail/grid/attachments/20241118/b283892a/attachment-0001.p7s>
More information about the grid
mailing list