Table of Contents
Audience
This document is meant for the maintainers of CMR and is considered DRAFT
Overview
Technical documentation of the types of tokens that pass thru CMR.
Tokens
| Token | Source | Usage | Example | Client | Length | Tech Docs | Notes |
|---|---|---|---|---|---|---|---|
| Legacy | Legacy-Services | -H "Echo-Token: <token>" | AF14A97A-A916-B45A-B7C9-31BBB73ECB99 | stable with : | 35? | The creation of legacy Echo Tokens and use of the Echo-Token header are deprecated and scheduled for decommissioning. | |
| "EDL-" Prefixed | EDL | -H "ECHO-Token: <token>:<client>" | EDL-<BASE 64 text 60 long>:<client> | settable with : | 64 | Use of the Echo-Token header are deprecated and scheduled for decommissioning. | |
| Bearer Token | EDL | -H "Authorization: Bearer <token>" | EDL-<BASE 64 text 60 long> | https://tools.ietf.org/html/rfc6750 | |||
| JWT | EDL | -H "Authorization: Bearer <token>" | <Base64-Text>.<Base64-Text>.<Base64-Text> | settable with : | Up to 2k | ||
| LaunchPad | idmax.nasa.gov | -H "Authorization: <token>" | something really long and ugly ; a SAML token | null | 4k | Launchpad Authentication User's Guide |
Notes
- The "Authorization: Bearer" flag is only for EDL(URS) tokens which do not need to define a client.
CMR Token Processing
CMR reads tokens from three places, Authorization header, 'token' parameter, or Echo-Token header. First found is stored in the context as :token (see acl-lib/src/cmr/acl/core.clj). There is very little processing of the token inside of CMR, the value is handed over to legacy services for processing. The one exception is in a few cases where actions are only allowed if the token is a launchpad token.
Legacy Services Processing Notes
<urs-token>:<client-id> (on behalf form)
Bearer <urs-token> (assumed client id of cmr-<user-name>)
Launchpad has no client id (null)
URS tokens must have either a Bearer or a client id section.
LaunchPad Token Notes
see Launchpad Authentication User's Guide
Launchpad tokens are passed in as an Echo-Token or Authorization header and do not use either a client separator (":") nor do they use the Bearer marker. Launchpad tokens have no client (null).
Questions
Token Usage
curl -H "Authorization: Bearer XXXX" https://cmr.sit.earthdata.nasa.gov/search/collections/
Code
legacy-services
cmr.common-app.api.launchpad-token-validation/launchpad_token_validation.clj