Data API Authentication and Authorization

[leomrocha]

Acceptance

• Add simple authentication handling/validation (maybe JWT?)

Tasks

Analysis

Check also related issue #26
Refer to issue #7

[rufuspollock]

@leomrocha

What i had been imagining here is that we'd integrate with https://github.com/datopian/ckanext-authz-service ...

Summary of the flow for client of the API

• Make request to ckanext-authz authorize endpoint https://github.com/datopian/ckanext-authz-service#authorize
• Make a request to the Data API using that token
  • Data API checks the token is valid in usual way (i.e. correctly assigned)
  • Checks that the scope allows access to resource sought (may need a bit of work to configure that against scopes that CKAN can authorize - note this relates to bigger idea that Data APIs are associated to Dataset (maybe resource) and inherit their permissions)
  • Converts that into a hasura type scope and passes that along to Hasura (or provides appropriate callback for Hasura)
• Hasura: we don't use much of Hasura access control at this point https://hasura.io/docs/1.0/graphql/core/auth/index.html
  • We can keep identify and permissions very simple i.e. just 2 roles: viewer (read), editor (read, write) and then make sure that wrapper app passed through right auth header

Key points

• The Data API operates as a standalone service so it needs to work off JWT or similar
• It receives an authorization token from the user and checks that against that requested resource
• For Hasura we can just have very simple permissions i.e. either you have read acces or write access or nothing https://hasura.io/docs/1.0/graphql/core/auth/authorization/index.html