Note authentication decision

Also mention the use of scopes for the UWS service itself.
lsst-sqre · Sep 19, 2024 · e4a0c09 · e4a0c09
1 parent ece0edf
commit e4a0c09
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/index.rst b/index.rst
@@ -100,7 +100,7 @@ Authentication
 --------------
 
 There are two possible ways, with different trade-offs, to authenticate application requests to the UWS service.
-The bot token approach is the simplest, so we will likely start with that, but the second approach has some useful properties that are worth consideration.
+We decided to take the delegated token approach, since it seems like the more elegant solution and shouldn't be that much additional work.
 
 Bot tokens
 """"""""""
@@ -151,6 +151,9 @@ The second problem is more minor: currently, the service associated with an inte
 The UWS service would therefore have to make a request to the Gafaelfawr token-info endpoint for every request to determine the associated service, which increases the latency cost of this design.
 We would probably want to add the associated service, if available, to an HTTP request header set by the ingress.
 
+In this model, the UWS service itself will not require any token scopes.
+It will accept requests authenticated by any internal token, but it will be configured with an internal allow list of applications that are permitted to use the service.
+
 Application routes
 ------------------