Accessing Proprietary Tables from TAP Services

[shinybrar]

Hello Firefly Team,

We (@brianmajor, @shinybrar)at CANFAR are actively working on a generally available Firefly deployment for our user base. While we already have Firefly working with Public TAP Services / Tables we are currently investigating how can Firefly access proprietary tables that require authentication, e.g. the YouCat TAP Service. We would like to know,

• Does firefly currently to support accessing proprietary tables via HTTP Tokens?
• If yes, could you provide documentation or an example on how to configure Firefly to use HTTP Tokens?
• If no, are there any recommended workarounds or plans to include such functionality in future Firefly releases?

Any guidance on this matter would be very helpful.

[robyww]

I need a little more detail. Firefly does do a handle this sort of thing but you would have to have it behind a login so that the tokens are available. It would also have some SSO parameters configured.

Can you tell me how you want to use it like this?

[loitly]

Hello @shinybrar,
Yes, Firefly supports accessing proprietary data services. However, because each implementation can differ, you may need to create your own custom implementation. Please refer to this documentation for guidance on how to proceed. At the bottom of the document, you'll find a bundled implementation that might suit your needs.

Let me know if this helps, and feel free to reach out with any additional questions.

[brianmajor]

Hi Trey, hi Loi -- thanks for the quick response on this.

Trey--our deployment model was going to be partly informed by the support for outgoing tokens in Firefly. Reading the documentation Loi posted, it seems like it'll do pretty much what we were hoping for: send tokens to the TAP/VO services from some configurable input source. That source will likely be some header of a token in the user's file system space.

For us, this implementation I think will work in the short-term, because as of yet our own TAP services are the only ones we use that support authentication. But, as the landscape grows, more remote services will as well, which will require the software to make a decision: which token to use for that service? In the VO/GWS, there has been talk about using the notion of realms--tokens belong to a realm (where it was issued) and should only be sent to services in that same realm. Do you have this situation and have you given it thought? I know that the RSP will have proprietary tables in their TAP services.

Anyhow, Shiny and I will give this a try and let you know how it goes. Thanks again.

[loitly]

... require the software to make a decision: which token to use for that service ...

Sorry for the delayed response. Regarding your question, I believe our custom SSOAdapter approach can handle this scenario as well. Essentially, every request to Firefly passes through the following steps:

getUserInfo/getAuthToken:
In getAuthToken, the request headers are inspected for information (e.g., header that contains 'realm' info).

setAuthCredential:
Based on the information gathered by getAuthToken and the request URL, setAuthCredential determines which authentication token to use.

Hope that all makes snese. Let me know if you have questions or need more details.