Clarification about authorization in Core spec

Question

Clarification about authorization in Core spec

jflevesque-genetec opened this issue 10 months ago · comments

jflevesque-genetec commented 10 months ago

I've been trying to determine what is the HTTP status code expected to be received from a device if a user attempts to do an action for which is access level is not sufficient. I would expect a 403 Forbidden, but there is no mention in the specification about it.

Also, in section 5.9.3.1, the text refers to Sect. 5.12 which does not exist. Anyone knows what section the text is referring to?

The authorization framework described in Sect. 5.12 allows for authentication of service requests. Once a
service request is authenticated, the device shall decide based on its access policy whether the requestor is
authorized to receive the service.

Venki-Honeywell · Answer 1 · Fri Oct 06 2023 11:19:47 GMT+0800 (China Standard Time)

I can see section 5.12 in ONVIF Core Specification 20.06, later same section is moved to 5.9

https://www.onvif.org/specs/core/ONVIF-Core-Specification-v2006.pdf?441d4a&441d4a

Probably we can extend 5.8.2.4 HTTP errors for 403 in latest ONVIF Core Specification 23.06.

Hans Busch · Answer 2 · Thu Oct 26 2023 14:07:48 GMT+0800 (China Standard Time)

Changing the error code from 401 or 400 to 403 probably will break backward compatibility.

jflevesque-genetec · Answer 3 · Thu Oct 26 2023 20:38:31 GMT+0800 (China Standard Time)

Closing issue so as not to break backward compatibility.