Adding auth headers standardized in DRS

[kellrott]

No description provided.

[uniqueg]

Related issue: #151

[uniqueg]

Overview of how this is done in other GA4GH APIs as of today (default branches, latest commits).

Summary

Here's a table highlighting commonalities/differences (see below for details on each API):

API	Schemes	Work Stream	Applied globally	Applied per operation
TES (this PR)	Cloud	basic, bearer, passport	basic, bearer	N/A
WES	Cloud	N/A	N/A	N/A
DRS	Cloud	basic, bearer, passport	basic, bearer	passport (some operations)
TRS	Cloud	bearer	N/A	bearer (all operations)
Service Registry	Discovery	bearer	bearer	N/A
Service Info	Discovery	bearer	bearer	N/A

In summary, there is little consistency across the individual specifications with regard to security scheme definitions. The proposed change for adding security schemes to the TES specification follows the definitions for the DRS specification, with the only exception that it does not apply the passport security scheme to any operations. Across the definitions listed, the only two that are completely identical (both in definitions and applications) are the ones from the Discovery Work Stream. The TRS security scheme definition is similar in spirit to those of the Service Registry and Info specifications, but uses the apiKey type rather than the http type with scheme bearer, probably as an artifact from a previous OpenAPI/Swagger 2.0-based definition, which did not support Bearer authentication explicitly. Probably the most relevant template for security scheme definitions in the TES specification would be the WES specification. However, WES currently does not specify security scheme definitions at all.

Details

WES, commit 33253aa

No security schemes defined/applied!

DRS, commit 4ae488e

Definition of security schemes:

components:
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic
      description: |
        A valid authorization token must be passed in the 'Authorization' header,
        e.g. "Basic ${token_string}"
    BearerAuth:
      type: http
      scheme: bearer
      description:
        A valid authorization token must be passed in the 'Authorization' header,
        e.g. "Bearer ${token_string}"
    PassportAuth:
      type: http
      scheme: bearer
      x-in: body
      bearerFormat: JWT
      description:
        A valid GA4GH Passport must be passed in the body of an HTTP POST request as a tokens[] array.

Application of security schemes globally, i.e., to all operations:

security:
  - {}
  - BasicAuth: []
  - BearerAuth: []

Application of security schemes per operation (certain operations only: #1, #2):

security:
  - PassportAuth: []

TRS, commit 75a9ca3

Definition of security schemes:

components:
  securitySchemes:
    BEARER:
      type: apiKey
      name: Authorization
      in: header

Application of security schemes globally, i.e., to all operations:

No security schemes applied globally!

Application of security schemes per operation (applied to all operations, e.g., #1):

security:
  - BEARER: []

Service Registry, commit e0358db

Definition of security schemes:

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

Application of security schemes globally, i.e., to all operations:

security:
  - bearerAuth: []

Application of security schemes per operation (certain operations):

No security schemes applied for individual operations!

Service Info, commit 11d2c12

Definition of security schemes:

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

Application of security schemes globally, i.e., to all operations:

security:
  - bearerAuth: []

Application of security schemes per operation (certain operations):

No security schemes applied for individual operations!