[ARVADOS] updated: 0f2ab548f96e8604a929e0636517f634b7dfb0ad

Wed Nov 2 15:26:22 EDT 2016

Summary of changes:
 doc/api/authentication.html.textile.liquid         | 40 ----------------------
 .../api_client_authorizations.html.textile.liquid  |  2 +-
 doc/api/methods/api_clients.html.textile.liquid    |  2 ++
 doc/api/tokens.html.textile.liquid                 | 14 +++++++-
 4 files changed, 16 insertions(+), 42 deletions(-)
 delete mode 100644 doc/api/authentication.html.textile.liquid

       via  0f2ab548f96e8604a929e0636517f634b7dfb0ad (commit)
      from  e59d21d3f47cbee83a6dc389584bd7b17bec270c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 0f2ab548f96e8604a929e0636517f634b7dfb0ad
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Tue Nov 1 18:05:21 2016 -0400

    10346: Document api_clients and trusted client.

diff --git a/doc/api/authentication.html.textile.liquid b/doc/api/authentication.html.textile.liquid
deleted file mode 100644
index cbf7553..0000000
--- a/doc/api/authentication.html.textile.liquid
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: default
-navsection: api
-navmenu: Concepts
-title: Authentication
-
-...
-
-
-
-Every API request (except the authentication API itself) includes an @access_token@ parameter.
-
-table(table table-bordered table-condensed).
-|Name|Type|Description|
-|access_token|string|Access token returned by OAuth 2.0 authorization procedure|
-
-Many resources contain "actor" attributes like @modified_by at .  An @access_token@ uniquely identifies a client (application or project) and an end-user.
-
-table(table table-bordered table-condensed).
-|Name|Type|Description|
-|modified_by_client_uuid|string|ID of API client|
-|modified_by_user_uuid|string|ID of authenticated user|
-
-h2. Authorizing a client application
-
-The Arvados API uses the "OAuth 2.0 protocol":http://tools.ietf.org/html/draft-ietf-oauth-v2-22 for authentication and authorization.
-
-h3. Register your client application
-
-Before an application can run on an Arvados cloud, it needs to be registered with the cloud. 
-
-That registration yields a @client_id@ and a @client_secret at . 
-
-h3. Obtain an access code
-
-A client obtains an access code by means of a standard Oauth 2.0 flow. The access code is granted to it by an authorized user. The client requests one or more scopes, which translate to a set of requested permissions (reading, writing, etc). Unless the access is to be short-lived, a refresh token is also granted to the application. 
-
-h3. Refresh the access code (optional)
-
-Access codes have a limited lifetime. A refresh token allows an application to request a new access token.
diff --git a/doc/api/methods/api_client_authorizations.html.textile.liquid b/doc/api/methods/api_client_authorizations.html.textile.liquid
index 7d392be..660e5dd 100644
--- a/doc/api/methods/api_client_authorizations.html.textile.liquid
+++ b/doc/api/methods/api_client_authorizations.html.textile.liquid
@@ -14,7 +14,7 @@ Required arguments are displayed in %{background:#ccffcc}green%.
 
 h2. Resource
 
-The @api_client_authorizations@ resource stores the list of API tokens that have been issued to permit access the API server.
+The @api_client_authorizations@ resource stores the API tokens that have been issued to permit access the API server.
 
 An ApiClientAuthorization is *not* a generic Arvados resource.  The full list of properties that belong to an ApiClientAuthorization is:
 
diff --git a/doc/api/methods/api_clients.html.textile.liquid b/doc/api/methods/api_clients.html.textile.liquid
index 3c668bd..d7c834e 100644
--- a/doc/api/methods/api_clients.html.textile.liquid
+++ b/doc/api/methods/api_clients.html.textile.liquid
@@ -16,6 +16,8 @@ Required arguments are displayed in %{background:#ccffcc}green%.
 
 h2. Resource
 
+which are permitted to access the API server.  Applications must provide
+
 Each ApiClient has, in addition to the usual "attributes of Arvados resources":{{site.baseurl}}/api/resources.html:
 
 table(table table-bordered table-condensed).
diff --git a/doc/api/tokens.html.textile.liquid b/doc/api/tokens.html.textile.liquid
index 458c41b..83b0858 100644
--- a/doc/api/tokens.html.textile.liquid
+++ b/doc/api/tokens.html.textile.liquid
@@ -14,8 +14,20 @@ Browser based applications can perform log in via the following flow:
 # The "login" link takes the browser to the login page (this may involve several redirects)
 # The user logs in.  API server authenticates the user and issues a new API token.
 # The browser is redirected to the login page URL provided in @return_to=XXX@ with the addition of @?api_token=xxxxapitokenxxxx at .
-# The web application gets the login request with the included API token.
+# The web application gets the login request with the included authorization token.
 
 h2. Creating tokens via the API
 
 Use the @create@ method of the "API client authorizations":{{site.baseurl}}/api/methods/api_client_authorizations.html resource.
+
+h2. Trusted API clients
+
+The "api_clients" resource applies access restrictions to web applications that have gone through the browser login flow.
+
+After the user has authenticated, but before an authorization token is issued and browser redirect sent (sending the browser back to the @return_to@ login page bearing @api_token@), the server strips the path and query portion from @return_to@ to get @url_prefix@ finds or creates an ApiClient object.  The newly issued API client authorization (API token) is associated with this ApiClient object.
+
+API clients may be marked as "trusted".  An authorization token associated with a "trusted" client is permitted to list authorization tokens on "API client authorizations":{{site.baseurl}}/api/methods/api_client_authorizations.html .
+
+A authorization token which is not associated with a trusted client may only use the @current@ method to query its own api_client_authorization object.  The "untrusted" token is forbidden performing any other operations on API client authorizations, such as listing other authorizations or creating new authorizations.
+
+Authorization tokens which are not issued via the browser login flow (created directly via the API) will not have an associated api client.  This means authorization tokens created via the API are always "untrusted".

-----------------------------------------------------------------------


hooks/post-receive
-- 


