Comments (3)
jlurien
commented on August 19, 2024
With the pressure to decide something for the meta-release, the safest approach would be to attach to sessionInfo the same device value that was passed in createSession request. That would imply that if device was omitted, no device must be returned. If a device was included, keep the same values and state that those were the original values at the time of creation. That would work for GET /sessions/{sessionId}
For the endpoint that retrieve sessions by device, there may be corner cases and it would be up to the implementation to be able to find the session or return and error or empty array. For example, if session was created with certain IPs and now IPs are different, implementation may be able to know that they identify the same device and return it or no. For many usual cases were phoneNumbers are used, it should not be a problem and I think we shouldn't limit functionality for the most common cases because of the corner ones.
from qualityondemand.
eric-murray
commented on August 19, 2024
If a 3-legged token is being used, the service API will (probably) not know what end user identifiers were used to generate that token. But both the API provider and client will know the sub (subject) claim of the ID token.
So, for that scenario, I'd suggest to use the sub claim (a string) as the end user identifier in the session info. Indeed, this could be generalised to the 2-legged token case, though in that case we don't get the sub calculated for "free" by OIDC, and hence would need to calculate that separately.
I agree it is too late for the meta-release, so I also agree that only device identifiers explicitly provided by the API client should be stored in the session info.
In fact, I would go further, and say that only one "identifier" (it might be a value pair) should be in the session info, which identifier being decided by the API provider. This is because of Commonalities Issue 259. We cannot now return 422 - DEVICE_IDENTIFIERS_MISMATCH (otherwise the API consumer will learn that a given ipv4address is not being used by a given phoneNumber), so better to accept one and ignore the rest.
I've not thought about IP address re-assignment, but my instinct is that, if the device gets allocated a new public IPv4 address or IPv6 routing prefix, then the session should be terminated and then re-created for the new address.
from qualityondemand.
hdamker
commented on August 19, 2024
The issue at hand is addressed with hdamker@b349cda.
Further potential information leaks, e.g. by an error message when 3-legged token and a device identifier within the request do not match, are under discussion within camaraproject/Commonalities#259.
from qualityondemand.
Related Issues (20)
- Adding `notificationUrl` as an optional property in `CloudEvents` HOT 1
- Return 422 instead of 501 if the service is not implemented for specified device
- Align error responses for Device Object with v0.4.0 of Design Guidelines HOT 1
- Application IPs are not shared by OTT for QOD API HOT 4
- Updating API Readiness Checklist(s) with new template
- Remove unresolved reference within quality-on-demand documentation
- Remove cucumber code from the repository HOT 1
- Fill API Readiness Cheklist for qod-provisioning
- Alignment of notification web hook to CloudEvent subscription model HOT 1
- Update reference to the QoS Profiles API HOT 2
- Prepare release PR for r1.1
- Potential enhancement of booking feature for qod-provision HOT 1
- Remove reference to protocol in sink description HOT 3
- Mentioning of the device object in the Session Info description
- Add user story for QoS Profile
- Review and update User Story for Quality On Demand
- Quality on Demand example RETRIEVE_SESSIONS_EXAMPLE must use sink HOT 2
- Operation to get qos-profiles for a device MUST use a verb and needs a security object HOT 2
- Info "The developer can optionally specify the duration" is wrong
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qualityondemand.