You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: IETF-RFC.md
+9-13
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ We define the following concepts (with some non-normative references to related
73
73
* __Discovering Server__ - a server that tries to obtain information in OCM API discovery
74
74
* __Discoverable Server__ - a server that tries to supply information in OCM API discovery
75
75
* __OCM Address__ - a string of the form `<Receiving Party's identifier>@<fqdn>` which can be used to uniquely identify a user or group "at" an OCM Server. `<Receiving Party's identifier>` is an opaque string,
76
-
unique at the server. `<fqdn>` is the Fully Qualified Domain Name by which the server is identified. This can, but doesn't need to be, the domain at which the OCM API of that server is hosted.
76
+
unique at the server. `<fqdn>` is the Fully Qualified Domain Name by which the server is identified. This MUST be the domain at which the OCM API of that server is hosted.
77
77
* __OCM Notification__ - a message from the Receiving Server to the Sending Server or vice versa, using the OCM Notifications endpoint.
78
78
* __Invite Message__ - out-of-band message used to establish contact between parties and servers in the Invite Flow, containing an Invite Token (see below) and the Invite Sender's OCM Address
79
79
* __Invite Sender__ - the party sending an Invite
@@ -395,11 +395,9 @@ If `multi` is given, one or more protocol
395
395
396
396
* Protocol details for `webdav` MAY contain:
397
397
* REQUIRED uri (string)
398
-
An URI to access the remote resource. The URI MAY be relative,
398
+
An URI to access the remote resource. The URI SHOULD be relative,
399
399
in which case the prefix exposed by the `/.well-known/ocm` endpoint MUST
400
-
be used, or it MAY be absolute. The latter is recommended in case the
401
-
receiver cannot unambiguously identify the sending server's endpoint (e.g.
402
-
because of reverse proxies).
400
+
be used. Absolute URIs are deprecated.
403
401
* OPTIONAL sharedSecret (string) - required if no `code` field is given for the Share as a whole (see above).
404
402
An optional secret to be used to access the resource,
405
403
such as a bearer token.
@@ -419,10 +417,9 @@ If `multi` is given, one or more protocol
419
417
* Protocol details for `webapp` MAY contain:
420
418
* REQUIRED uri (string)
421
419
An URI to a client-browsable view of the shared resource, such that
422
-
users may use the web applications available at the site. The URI MAY
420
+
users may use the web applications available at the site. The URI SHOULD
423
421
be relative, in which case the prefix exposed by the `/.well-known/ocm`
424
-
endpoint MUST be used, or it MAY be absolute. Similar considerations
425
-
as for the `webdav.uri` field apply.
422
+
endpoint MUST be used. Absolute URIs are deprecated.
426
423
* REQUIRED viewMode (string)
427
424
The permissions granted to the sharee. A subset of:
428
425
- `view`allows access to the web app in view-only mode.
@@ -433,16 +430,15 @@ If `multi` is given, one or more protocol
433
430
for example in the form of a bearer token.
434
431
* Protocol details for `datatx` MAY contain:
435
432
* REQUIRED srcUri (string)
436
-
An URI to access the remote resource. The URI MAY be relative,
433
+
An URI to access the remote resource. The URI SHOULD be relative,
437
434
in which case the prefix exposed by the `/.well-known/ocm` endpoint MUST
438
-
be used, or it MAY be absolute. Similar considerations as for the
439
-
`webdav.uri`field apply.
435
+
be used. Absolute URIs are deprecated.
440
436
* OPTIONAL sharedSecret (string)
441
437
An optional secret to be used to access the resource,
442
438
for example in the form of a bearer token.
443
439
To prevent leaking it in logs it MUST NOT appear in any URI.
444
440
* OPTIONAL size (integer)
445
-
The size of the file to be transferred from the sending server.
441
+
The size of the file to be transferred from the sending server.
446
442
447
443
## Decision to Discard
448
444
The Receiving Server MAY discard the notification if any of the following hold true:
@@ -493,7 +489,7 @@ They could give the Receiving Party the option to accept or reject the Share, or
493
489
494
490
# Resource Access
495
491
To access the Resource, the Receiving Server MAY use multiple ways, depending on the body of the Share Creation Notification. The procedure is as follows:
496
-
1. A root path `<sender-ocm-path>` MUST be obtained by querying the [Discovery](#ocm-api-discovery) endpoint at the Sending Server and getting `resourceTypes[0].protocols.webdav`.
492
+
1. The receiver MUST extract the OCM Server FQDN from the `owner` field of the received share, and MUST query the [Discovery](#ocm-api-discovery) endpoint at that address: the `resourceTypes[0].protocols.webdav` value is the `<sender-ocm-path>` to be used in step 3.
497
493
2. If `code` is not empty, the receiver SHOULD make a signed POST request to the `/token` path inside the Sending Server's OCM API, to exchange the code for a short-lived bearer token, and then use that bearer token to access the Resource.
498
494
3. If `protocol.name` = `webdav`, the receiver SHOULD inspect the `protocol.options` property. If it contains a `sharedSecret`, as in the [legacy example](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1shares/post), then the receiver SHOULD make a HTTP PROPFIND request to `https://<sharedSecret>:@<sender-host><sender-ocm-path>`. Note that this access method, based on Basic Auth, is _deprecated_ and may be removed in a future release of the Protocol.
499
495
4. Otherwise, if `protocol.name` = `multi`, the receiver MUST inspect the `protocol.webdav.uri` property: if it's a complete URI, the receiver MUST make a HTTP PROPFIND request against it to access the remote resource. If it only contains an identifier `<key>`, the receiver MUST make a HTTP PROPFIND request to `https://<sender-host><sender-ocm-path>/<key>` in order to access the remote resource. Additionally, the receiver MUST pass an `Authorization: bearer` header with either the short-lived bearer token obtained in step 2, if applicable, or the `protocol.webdav.sharedSecret` value.
0 commit comments