|
| 1 | +--- |
| 2 | +title: Security and OGC APIs |
| 3 | +--- |
| 4 | + |
| 5 | +# Security and OGC APIs |
| 6 | + |
| 7 | +OGC APIs are designed using modern technologies in order to lower the barrier to geospatial data, services, and processes. |
| 8 | + |
| 9 | +## SSL/TLS |
| 10 | + |
| 11 | +OGC APIs can be deployed using HTTP or HTTPS. It is strongly recommended to deploy any services using HTTPS so that clients |
| 12 | +can validate and verify authenticity of your services accordingly. Depending on how your system is architected, this may mean |
| 13 | +applying Secure Sockets Layer/Transport Layer Security (SSL/TLS) on your service host, or if you have a multi-layered deployment |
| 14 | +architecture, applying as part of your front-end services, at which point internal/inner communication may or may not be implemented |
| 15 | +using HTTP. |
| 16 | + |
| 17 | +## Access control |
| 18 | + |
| 19 | +Open Standards and APIs are not only for Open Data. Implementing access control (authentication, authorization) is a critical component |
| 20 | +of many infrastructures and systems in order to maintain data integrity, authority and trust. Examples of requiring access control in |
| 21 | +OGC APIs includes (but is not limited to): |
| 22 | + |
| 23 | +- securing all endpoints |
| 24 | +- securing only specific endpoints |
| 25 | +- allowing insert/update/delete capabilities on items in a collection |
| 26 | +- allowing insert/update/delete capabilities on collections |
| 27 | + |
| 28 | +Given that access control concerns, implementations and architectures exist for many domains, it is best to leverage industry standards |
| 29 | +for implementation. Given OGC API standards leverage the OpenAPI specification for service descriptions, one can use the OpenAPI |
| 30 | +[Security Scheme Object](https://spec.openapis.org/oas/v3.0.3#security-scheme-object) to describe (not implement!) the access control mechanism(s) for the |
| 31 | +entire API as well as for a specific path/operation of the API. |
| 32 | + |
| 33 | +Supported OpenAPI security schemes include: |
| 34 | + |
| 35 | +- API key (`apiKey`) |
| 36 | +- HTTP authentication (`http`) |
| 37 | +- OAuth2 common flows (`oauth2`) |
| 38 | +- OpenID Connect Discovery (`openIdConnect`) |
| 39 | + |
| 40 | + |
| 41 | +Access control using HTTP Basic authentication: |
| 42 | +```json |
| 43 | +"security": { |
| 44 | + "default": { |
| 45 | + "type": "http", |
| 46 | + "scheme": "basic", |
| 47 | + "description": "Please contact us for access information" |
| 48 | + } |
| 49 | +} |
| 50 | +``` |
| 51 | + |
| 52 | +Access control using an API key: |
| 53 | +```json |
| 54 | +"security": { |
| 55 | + "default": { |
| 56 | + "type": "apiKey", |
| 57 | + "name": "api-key", |
| 58 | + "in": "query", |
| 59 | + "description": "Please see https://example.org/contact-us for more information" |
| 60 | + } |
| 61 | +} |
| 62 | +``` |
| 63 | + |
| 64 | +Access control using OAuth2: |
| 65 | +```json |
| 66 | +"security": { |
| 67 | + "default": { |
| 68 | + "type": "oauth2", |
| 69 | + "authorizationUrl": "https://example.org/oauth/authorize", |
| 70 | + "flow": "implicit", |
| 71 | + "description": "Please see https://example.org/contact-us for more information" |
| 72 | + "scopes": { |
| 73 | + "read:roads": "read roads collection", |
| 74 | + "write:roads": "modify roads in the roads collection" |
| 75 | + } |
| 76 | +} |
| 77 | +``` |
| 78 | + |
| 79 | +!!! note |
| 80 | + Implementing the above assumes that the required access control mechanisms are in place. |
0 commit comments