Authentication / Authorization

[cttengsfmta]

Currently the provider API specifies an authorization scheme that points at the Swagger bearer authentication API description. Any request with a valid bearer token is authorized for any particular API endpoint

• How is authorization and authentication handled in the agency API?
• How are these tokens obtained?

[thekaveman]

• how are these tokens obtained?

There was a related discussion about that over on #81, and the consensus was that that is an implementation detail of the Provider's - MDS just requires support for the bearer token.

[hunterowens]

yeah, each provider has their own auth to obtain token.

In agency, I think the best approach would be to mirror that. @toddapetersen can you update agency to document auth support?

[cttengsfmta]

yeah, each provider has their own auth to obtain token.

Can we make it optional, then? We don't want to support a different token exchange scheme for each provider. We don't have the resources for that. We need all the providers to use the same scheme.

[cttengsfmta]

@noonhub 's proposal in #81 seems reasonable to us, FWIW.

[hunterowens]

With #143 merged, I think we can close this issue. Starting with version 0.2.1, all providers should generate an oauth_client credentials flow to allow token creation and sub token creation.