Token Handling Within CMR

Table of Contents

Audience

This document is meant for the maintainers of CMR and is considered DRAFT

Overview

Technical documentation of the types of tokens that pass thru CMR.

Tokens

Notes

• The "Authorization: Bearer" flag is only for EDL(URS) tokens which do not need to define a client.

CMR Token Processing

CMR reads tokens from three places, Authorization header, 'token' parameter, or Echo-Token header. First found is stored in the context as :token (see acl-lib/src/cmr/acl/core.clj). There is very little processing of the token inside of CMR, the value is handed over to legacy services for processing. The one exception is in a few cases where actions are only allowed if the token is a launchpad token. 

Legacy Services Processing Notes

<urs-token>:<client-id> (on behalf form)

Bearer <urs-token> (assumed client id of cmr-<user-name>)

Launchpad has no client id (null)

URS tokens must have either a Bearer or a client id section.

LaunchPad Token Notes

see Launchpad Authentication User's Guide

Launchpad tokens are passed in as an Echo-Token or Authorization header and do not use either a client separator (":") nor do they use the Bearer marker. Launchpad tokens have no client (null).

Questions

Token Usage

curl -H "Authorization: Bearer XXXX" https://cmr.sit.earthdata.nasa.gov/search/collections/

Code

legacy-services

cmr.common-app.api.launchpad-token-validation/launchpad_token_validation.clj