Table of Contents
Audience
This document is meant for the maintainers of CMR and is considered DRAFT
Overview
Technical documentation of the types of tokens that pass thru CMR.
Tokens
Token | Source | Usage | Example | Client | Length | Tech Docs | Notes |
---|---|---|---|---|---|---|---|
Legacy | Legacy-Services | -H "Echo-Token: <token>" | AF14A97A-A916-B45A-B7C9-31BBB73ECB99 | stable with : | 35? | The creation of legacy Echo Tokens and use of the Echo-Token header are deprecated and scheduled for decommissioning. | |
"EDL-" Prefixed | EDL | -H "ECHO-Token: <token>:<client>" | EDL-<BASE 64 text 60 long>:<client> | settable with : | 64 | Use of the Echo-Token header are deprecated and scheduled for decommissioning. | |
Bearer Token | EDL | -H "Authorization: Bearer <token>" | EDL-<BASE 64 text 60 long> | https://tools.ietf.org/html/rfc6750 | |||
JWT | EDL | -H "Authorization: Bearer <token>" | <Base64-Text>.<Base64-Text>.<Base64-Text> | settable with : | Up to 2k | ||
LaunchPad | idmax.nasa.gov | -H "Authorization: <token>" | something really long and ugly ; a SAML token | null | 4k | Launchpad Authentication User's Guide |
Notes
- The "Authorization: Bearer" flag is only for EDL(URS) tokens which do not need to define a client.
CMR Token Processing
CMR reads tokens from three places, Authorization header, 'token' parameter, or Echo-Token header. First found is stored in the context as :token (see acl-lib/src/cmr/acl/core.clj). There is very little processing of the token inside of CMR, the value is handed over to legacy services for processing. The one exception is in a few cases where actions are only allowed if the token is a launchpad token.
Legacy Services Processing Notes
<urs-token>:<client-id> (on behalf form)
Bearer <urs-token> (assumed client id of cmr-<user-name>)
Launchpad has no client id (null)
URS tokens must have either a Bearer or a client id section.
LaunchPad Token Notes
see Launchpad Authentication User's Guide
Launchpad tokens are passed in as an Echo-Token or Authorization header and do not use either a client separator (":") nor do they use the Bearer marker. Launchpad tokens have no client (null).
Questions
Token Usage
curl -H "Authorization: Bearer XXXX" https://cmr.sit.earthdata.nasa.gov/search/collections/
Code
legacy-services
cmr.common-app.api.launchpad-token-validation/launchpad_token_validation.clj