You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: general-information.md
+43-3Lines changed: 43 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ This document contains specifications that are shared between the various MDS [A
4
4
5
5
## Table of Contents
6
6
7
-
-[Authentication](#authentication)
7
+
-[Authorization](#authorization)
8
8
-[Beta Features](#beta-features)
9
9
-[Costs and Currencies](#costs-and-currencies)
10
10
-[Data Types](#data-types)
@@ -25,11 +25,51 @@ This document contains specifications that are shared between the various MDS [A
25
25
-[Vehicle States](#vehicle-states)
26
26
-[Versioning](#versioning)
27
27
28
-
## Authentication
28
+
## Authorization
29
+
30
+
TBD
31
+
32
+
### Endpoint Requirements
33
+
34
+
All MDS Provider, Agency, and Metrics APIs require authentication, as outlined.
29
35
30
36
If implementing MDS Policy, Geography, and/or Jurisdiction APIs and endpoints, an agency must make them unauthenticated and public. This allows transparency for the public to see how the city is regulating, holds the city accountable for their policy decisions, and reduces the technical burden on providers to use these endpoints. A side benefit is that this allows third parties to ingest this information into their applications and services for public benefit.
31
37
32
-
All other MDS APIs require authentication, as outlined.
38
+
All Provider endpoints must be authenticated, to protect potentially sensitive information.
39
+
40
+
As of MDS 0.3.0, `gbfs.json` is required. The required GBFS endpoints should be made available publicly. See [#realtime-data](https://github.com/openmobilityfoundation/mobility-data-specification/tree/main/provider#realtime-data) for more information about how to implement GBFS for dockless systems.
41
+
42
+
### Header
43
+
44
+
The `Authorization` header is sent as part of an HTTP request. Example:
45
+
46
+
```
47
+
GET /trips HTTP/1.1
48
+
Host: api.provider.co
49
+
Authorization: Bearer <token>
50
+
```
51
+
52
+
More info on how to document [Bearer Auth in swagger](https://swagger.io/docs/specification/authentication/bearer-authentication/)
53
+
54
+
### JSON Web Tokens
55
+
56
+
JSON Web Token ([JWT](https://jwt.io/introduction/)) is **RECOMMENDED** as the token format.
57
+
58
+
JWTs provide a safe, secure way to verify the identity of an agency and provide access to MDS resources without providing access to other, potentially sensitive data.
59
+
60
+
> JSON Web Token (JWT) is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
61
+
62
+
MDS API producers **MAY** include any metadata in the JWT they wish that helps to route, log, permission, or debug agency requests, leaving their internal implementation flexible.
63
+
64
+
JWT provides a helpful [debugger](https://jwt.io/#debugger) for testing your token and verifying security.
65
+
66
+
### OAuth 2.0
67
+
68
+
OAuth 2.0's `client_credentials` grant type (outlined in [RFC6749](https://tools.ietf.org/html/rfc6749#section-4.4)) is **RECOMMENDED** as the authentication and authorization scheme.
69
+
70
+
OAuth 2.0 is an industry standard authorization framework with a variety of existing tooling. The `client_credentials` grant type facilitates generation of tokens that can be used for access by agencies and distributed to data partners.
71
+
72
+
If an MDS `provider` implements this auth scheme, it **MAY** choose to specify token scopes that define access parameters like allowable time ranges. These guidelines **SHOULD** be encoded into the returned token in a parseable way.
Copy file name to clipboardExpand all lines: provider/README.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,12 +37,20 @@ This specification contains a data standard for *mobility as a service* provider
37
37
38
38
## General Information
39
39
40
-
The following information applies to all `provider` API endpoints. Details on providing authorization to endpoints is specified in the [auth](auth.md) document.
40
+
The following information applies to all `provider` API endpoints.
41
41
42
42
This specification uses data types including timestamps, UUIDs, and vehicle state definitions as described in the MDS [General Information][general-information] document.
43
43
44
44
[Top][toc]
45
45
46
+
### Authorization
47
+
48
+
MDS `providers`**SHALL** provide authorization for API endpoints via a bearer token based auth system, and [JSON Web Token](/general-information.md#json-web-tokens) is the recommended format.
49
+
50
+
General authorization details are specified in the [Authorization section](/general-information.md#authorization) in MDS General Information.
51
+
52
+
[Top][toc]
53
+
46
54
### Versioning
47
55
48
56
`provider` APIs must handle requests for specific versions of the specification from clients.
0 commit comments