As Italian Ministry of Transportation I would like to access the SIRI end-point with a certain authentication mechanism

[rcavaliere]

The request is to implement the mechanism described in the attached documentation, according to the AGID specification (?).

My suggestion is of course to implement within our Keycloack instance, since this mechanism seems to me identical to what we foresee in case of closed data access.

On the other side I would suggest that our SIRI end-points are also freely available without authentication.

In other words:

• End-point 1 with authentication: to be used with Italian Ministry and other relevant national MaaS stakeholders
• End-point 2 without authentication: our reference SIRI end-point, to be used in general for our communication with the Open Data Hub community

Please also @ohnewein give a feedback to this strategy.
Please give priority to this since we were asked at latest at the beginning of September to have this implemented.

DSSRF-Autorizzazione-APISF-v1.1-signed_signed.pdf

[ohnewein]

Would it be possible to expose a single end-point, which allows the client to authenticate as an optional feature?

In this way clients who are part of the MaaS cooperation can authenticate and have the operations logged, and other clients can just stay unauthenticated.

Would that be an option to reduce end-points?

[rcavaliere]

@ohnewein if possible yes! @clezag do you think this is feasible?

[clezag]

@rcavaliere @ohnewein
I've had a glance at the document, and it looks like standard OIDC, so exactly what we are doing already with Keycloak on our APIs.

I don't see any need to have multiple endpoints. Like with our own APIs (ninja, tourism) you can call with or without a token.

So from a technical point of view, I would simply not implement anything, and let them pass a token if they want to. It will be ignored, they will get the same response as passing no token would. If they really, really want, we can validate the token and give an error in case it's invalid, to POC the whole thing.

What's more concerning to me is that I would avoid using our own Keycloak to manage this, just because right now it is urgent and we have something ready to go. In the document it says that in the future MAAS operators will be able to register on their own etc., which would mean that we, as NOI Techpark would have to manage, maintain and support requests from MAAS operators, that IMO should go to STA or the province.
But this is a strategical decision you have to make.

[rcavaliere]

@clezag our Keycloack will just be used for or Open Data Hub end-point, nothing more. So, no concern about this!
As already shared on other channels, let's go in that way, i.e. 3rd parties can access the resource with or without token, in all cases they get the complete response.

[clezag]

@rcavaliere not sure I understood this.
Do we still have to create a credential pair on our keycloak for them, or will that be handled by STA?

I assume that STA proxies the NAP request to our endpoint.
So really, it should be STA giving them the credentials and letting them request the token from their own OIDC (Keycloak) server.
We would then validate the token against the STA server, or do some kind of Federation (not a Keycloak expert).
If in the future there are other SIRI endpoint (in addition FM, let's say SX) that are not handled by us, the MAAS operator would have to use separate credentials requested from separate servers between say FM and PT endpoints.
Ideally they request a token once from a STA keycloak, and then use that single token to call all SIRI endpoints.

But I understand that if STA does not have the infrastructure and we need it now, we can use our Keycloak. I'm just sharing my concerns. Let me know if you want me to create a credential pair, and I'll send it to you

[rcavaliere]

@clezag no, we have multiple end-points, so I imagine to have two different credentials for accessing the STA end-point and our end-points. Does the Ministry want to have complexity? Let's give it to them :-)
So let's just consider on our part, STA will manage its part. Take in consideration that theoretically only the national MaaS platform will access our end-points, the MaaS Operators will then use the national MaaS platform to get our data.
I say theoretically because it's much more likely that they will use our API, without authentication...

[clezag]

@rcavaliere did you get any feedback on the credentials I sent you?

[rcavaliere]

@clezag not yet, but I think should be OK. I will let you know when we have a more consolidated feedback!