Authentication for accessing Swestore¶
Some kind of credentials are required to access Swestore. The most common ones are the classic username/password combination or a certificate.
In addition to this, Swestore also supports (and encourages) the use of the Macaroons bearer token technology for advanced use cases such as external data portals and for temporary file sharing scenarios.
For interactive use¶
There are two reasonable authentication methods available for scenarios when there is a human interacting with Swestore.
Username/password authentication is simple to use and can be used for the web pages and various versions of the command line tools for HTTPS/WebDAV (but not for gsiftp). This is our recommended authentication method for interactive use of Swestore.
As an alternative, a certificate can be used. It's a bit harder to aquire but has some added benefits. A certificate can be thought of as an elaborate identity card and can be used to generatate short lived access tokens (proxy certificates).
For non-interactive use¶
For automated systems, data portals, and other systems where the actor isn't a human.
A certificate, preferably a robot certificate, can be stored with a pass phrase on the automated system and can be used to create short lived (hours, days, or weeks) temporary proxy-certificates that can be used for Swestore access. If this proxy certificate is stolen there is a limited time frame when your data is vulnerable. This is the preferred method to use by automated systems to provide access, create short-lived access tokens such as Macaroons, and other automated tasks.
Username/password authentication can also be used, but due to security concerns it's not always suitable for use in automated/scripted use cases since this would involve storing the password in clear text on a system not under your control.
Macaroons is a bearer token technology used with the WebDAV/HTTP protocols. It makes it easy to create temporary access links with limited permissions and are extremely well suited for creation of access portals, limited time file sharing/delegation, and other similar use cases. It's not suiteable for long term publishing of data.