OGC Testbed-14: Next Generation Web APIs - WFS 3.0 Engineering Report

Publication Date: 2019-03-07

Approval Date: 2018-12-13

Submission Date: 2018-11-22

Reference number of this document: OGC 18-045

Reference URL for this document: http://www.opengis.net/doc/PER/t14-D021

Category: Public Engineering Report

Editor: Jeff Harrison, Panagiotis (Peter) A. Vretanos

Title: OGC Testbed-14: Next Generation Web APIs - WFS 3.0 Engineering Report

OGC Engineering Report

COPYRIGHT

WARNING

This document is not an OGC Standard. This document is an OGC Public Engineering Report created as a deliverable in an OGC Interoperability Initiative and is not an official position of the OGC membership. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an OGC Standard. Further, any OGC Engineering Report should not be referenced as required or mandatory technology in procurements. However, the discussions in this document could very well lead to the definition of an OGC Standard.

LICENSE AGREEMENT

Permission is hereby granted by the Open Geospatial Consortium, ("Licensor"), free of charge and subject to the terms set forth below, to any person obtaining a copy of this Intellectual Property and any associated documentation, to deal in the Intellectual Property without restriction (except as set forth below), including without limitation the rights to implement, use, copy, modify, merge, publish, distribute, and/or sublicense copies of the Intellectual Property, and to permit persons to whom the Intellectual Property is furnished to do so, provided that all copyright notices on the intellectual property are retained intact and that each person to whom the Intellectual Property is furnished agrees to the terms of this Agreement.

If you modify the Intellectual Property, all copies of the modified Intellectual Property must include, in addition to the above copyright notice, a notice that the Intellectual Property includes modifications that have not been approved or adopted by LICENSOR.

THIS LICENSE IS A COPYRIGHT LICENSE ONLY, AND DOES NOT CONVEY ANY RIGHTS UNDER ANY PATENTS THAT MAY BE IN FORCE ANYWHERE IN THE WORLD. THE INTELLECTUAL PROPERTY IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE INTELLECTUAL PROPERTY WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE INTELLECTUAL PROPERTY WILL BE UNINTERRUPTED OR ERROR FREE. ANY USE OF THE INTELLECTUAL PROPERTY SHALL BE MADE ENTIRELY AT THE USER’S OWN RISK. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR ANY CONTRIBUTOR OF INTELLECTUAL PROPERTY RIGHTS TO THE INTELLECTUAL PROPERTY BE LIABLE FOR ANY CLAIM, OR ANY DIRECT, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM ANY ALLEGED INFRINGEMENT OR ANY LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR UNDER ANY OTHER LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH THE IMPLEMENTATION, USE, COMMERCIALIZATION OR PERFORMANCE OF THIS INTELLECTUAL PROPERTY.

This license is effective until terminated. You may terminate it at any time by destroying the Intellectual Property together with all copies in any form. The license will also terminate if you fail to comply with any term or condition of this Agreement. Except as provided in the following sentence, no such termination of this license shall require the termination of any third party end-user sublicense to the Intellectual Property which is in force as of the date of notice of such termination. In addition, should the Intellectual Property, or the operation of the Intellectual Property, infringe, or in LICENSOR’s sole opinion be likely to infringe, any patent, copyright, trademark or other right of a third party, you agree that LICENSOR, in its sole discretion, may terminate this license without any compensation or liability to you, your licensees or any other party. You agree upon termination of any kind to destroy or cause to be destroyed the Intellectual Property together with all copies in any form, whether held by you or by any third party.

Except as contained in this notice, the name of LICENSOR or of any other holder of a copyright in all or part of the Intellectual Property shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Intellectual Property without prior written authorization of LICENSOR or such copyright holder. LICENSOR is and shall at all times be the sole entity that may authorize you or any third party to use certification marks, trademarks or other special designations to indicate compliance with any LICENSOR standards or specifications.

This Agreement is governed by the laws of the Commonwealth of Massachusetts. The application to this Agreement of the United Nations Convention on Contracts for the International Sale of Goods is hereby expressly excluded. In the event any provision of this Agreement shall be deemed unenforceable, void or invalid, such provision shall be modified so as to make it valid and enforceable, and as so modified the entire Agreement shall remain in full force and effect. No decision, action or inaction by LICENSOR shall be construed to be a waiver of any rights or remedies available to it.

None of the Intellectual Property or underlying information or technology may be downloaded or otherwise exported or reexported in violation of U.S. export laws and regulations. In addition, you are responsible for complying with any local laws in your jurisdiction which may impact your right to import, export or use the Intellectual Property, and you represent that you have complied with any regulations or registration procedures required by applicable law to make this license enforceable.

Table of Contents

1. Summary
2. References
3. Terms and definitions
- 3.1. Abbreviated Terms
4. Overview
5. Background
- 5.1. Introduction to WFS 3.0 and OpenAPI
  - 5.1.1. Transitioning to Next-Generation APIs
- 5.2. OpenID Connect and OAuth 2.0
  - 5.2.1. OpenID Connect Security Environment
6. Experiments
7. Implementations
- 7.1. Component Implementation Design
- 7.2. Participant Implementations
8. Extensions
9. Findings
- 9.1. Recommendations for Future Work
Appendix A: Extensions
Appendix B: Revision History
Appendix C: Bibliography

1. Summary

The objective of the Next Generation APIs - WFS 3.0 effort in OGC Testbed-14 was to develop and test the Web Feature Service (WFS) version 3.0 candidate standard. The initiative assessed OpenAPI, security based on OpenID Connect and OAuth 2.0 and WFS 3.0 extensions. The effort also began to assess methods to ease geospatial enterprise transition to next generation Application Programming Interfaces (APIs).

The purpose of this effort was not to preempt other next generation work taking place in OGC, but rather to inform and complement that work.

This Engineering Report (ER) describes the implementations and experiments conducted by OGC Testbed-14 participants to test next generation Web APIs. It includes descriptions of APIs to simplify and secure access to geospatial feature resources, and was tested in a scenario that showed how WFS 3.0 can support humanitarian relief activities.

1.1. Requirements & Research Motivation

The motivation behind this ER resides in the need to secure the next generation open geospatial APIs, and ease transition from legacy services to geospatial enterprise architectures aligned with current Web architecture and Spatial Data on the Web Best Practices.

Therefore, the requirements addressed by this ER were:

Adopt API components used in mainstream IT, and build in security.
Use well-known resource types, and deploy geospatial feature resources as API components.
Deploy feature resources in a simple core specified as OpenAPI components.
Implement and test modular extensions for complex functions.
Deploy facades and versioning to assess legacy service transition to next generation Web APIs.
Develop and deploy client applications able to access feature resources using HTTP methods. Leverage openly available, browser-based tools such as Swagger to exercise the OpenAPI components.
Secure the clients and services via an Authorization Server using OpenID Connect and OAuth 2.0. OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. OpenID Connect specifies an API using JavaScript Object Notation (JSON) as a data format.
Conduct Technology Integration Experiments (TIEs) and document the ability of next generation APIs to support simulated users in a humanitarian relief scenario.

Figure 1. Overview of the Testbed-14 Next Generation APIs experiments architecture

Technology Integration Experiments conducted during Testbed-14 were informed by activity in the OGC Vector Tiles Pilot (VTP) which began in August 2018. The objective of the VTP was to extend WFS 3.0 and other OGC standards to deliver Vector Tiles.

Results of Testbed-14 indicate the simple core of WFS 3.0 specified as OpenAPI can be implemented rapidly by software developers, and deliver geospatial feature resources secured by OpenID Connect and OAuth 2.0. In addition, findings indicated feasible methods to ease transition to next-generation APIs are available through WFS versioning and facades.

Figure 2. Technology Integration Experiments

1.2. Prior-After Comparison

Prior to Testbed-14 WFS 3.0 development has focused mainly on revising OGC’s Web Feature Service standard for querying geospatial information on the web, concentrating on a simple core specified as reusable OpenAPI components with responses in JSON and Hypertext Markup Language (HTML). A key element of OpenAPI is the ability to provide standard, language-agnostic description for APIs and support to modern tools such as Swagger.

OpenAPI and Swagger allow both humans and computers to discover and understand the capabilities of an API without access to source code, documentation or through network traffic inspection. In addition, OpenAPI documents can be used by code generation tools to generate servers and clients in various programming languages.

Security discussions prior to Testbed-14 addressed a variety of approaches, but lacked an industry framework for integrating security controls into next generation APIs.

On the integration of OGC standards and definition of best practices for integration, the OGC® Web Services Security specification was published on the 28th January 2019 as an OGC Implementation Standard. The standard has been developed by the OGC Web Services (OWS) Common Security Standards Working Group (SWG) with the aim being to standardize the security aspects of current Web Services Standards while providing backward compatibility and interoperability.

On the other hand security discussions prior to this Testbed include concerns regarding Federated Identity Management, but these are not specifically addressed in enough detail.

This situation highlights the need for a general approach to security architectures that utilize the current state-of-the-art standards.

As a result of activities performed during this Testbed, the implementations documented in this Engineering Report serve as an initial step towards a complete high-level architecture to simplify and secure access to geospatial feature resources - including definition of security requirements objects aligned with OpenAPI. Documented implementations also indicate the potential of WFS 3.0 extensions to support Vector Tiles, maps and other innovations.

1.3. Recommendations for Future Work

As a result of the activities performed during this Testbed, several future work points have been identified:

Assess and advance next generation APIs to support transactions against geospatial feature resources, perform geometry simplification and other functions.
Advance a "WMTS 2.0" implemented as reusable OpenAPI components with security based on OpenID Connect and OAuth 2.0.
Enhance the ability of next generation APIs to describe and deliver emerging geospatial resources such as Vector Tiles.
Assess the ability of next generation APIs to support access control and security metadata, optionally enclosed within dissemination formats for binding assertion metadata with geospatial resources.
Assess how security specifications, access control and dissemination may further enable JSON, HTML and Vector Tiles-based information exchange.

1.4. Document contributor contact points

All questions regarding this document should be directed to the editor or the contributors:

Contacts

Name	Organization
Jeff Harrison, Editor	US Army Geospatial Center
Peter Vretanos, Editor	Cubewerx
Clemens Portele	Interactive Instruments
Chia-Cheng (Ricky) Lin	Feng Chia University
Simone Giannecchini	GeoSolutions
Andrea Aime	GeoSolutions
Stefano Bovio	GeoSolutions
Hector Rodriguez	Deimos Space
Juan Jose Doval	Deimos Space

Name

Organization

Jeff Harrison, Editor

US Army Geospatial Center

Peter Vretanos, Editor

Cubewerx

Clemens Portele

Interactive Instruments

Chia-Cheng (Ricky) Lin

Feng Chia University

Simone Giannecchini

GeoSolutions

Andrea Aime

GeoSolutions

Stefano Bovio

GeoSolutions

Hector Rodriguez

Deimos Space

Juan Jose Doval

Deimos Space

1.5. Review SWGs

The content of this ER will be reviewed by the following OGC standards working groups:

Web Feature Service/Filter Encoding Specification (WFS/FES) SWG

1.6. Foreword

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The Open Geospatial Consortium shall not be held responsible for identifying any or all such patent rights.

Recipients of this document are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of the standard set forth in this document, and to provide supporting documentation.

2. References

The following normative documents are referenced in this document.

3. Terms and definitions

For the purposes of this report, the definitions specified in Clause 4 of the OWS Common Implementation Standard OGC 06-121r9 shall apply. In addition, the following terms and definitions apply.

Authorization Code Grant Flow

A security flow that can be used by confidential and public clients to exchange an authorization code for an access token.

Dataset

A collection of data, published or curated by a single agent, and available for access or download in one or more formats.

Distribution

Represents an accessible form of a dataset.

Feature

An abstraction of real world phenomena [ISO 19101-1:2014].

Feature Collection | Collection
```
A set of features from a dataset.
```

Implicit Grant Flow

A simplified security flow that can be used by public clients, where the access token is returned immediately without an extra authorization code exchange step.

OpenAPI

A specification for machine-readable interface files for describing, producing, consuming, and visualizing RESTful APIs.

Swagger

Tools to visualize and interact with an API’s resources without having any of the implementation logic in place, automatically generated from an OpenAPI document.

Web Feature Service 3.0

A revision of the OGC's Web Feature Service standard for querying geospatial resources on the web, focusing on a simple RESTful core specified as reusable OpenAPI components with responses in JSON, HTML and emerging forms such as Vector Tiles.

3.1. Abbreviated Terms

Some of the more frequently used abbreviated terms in this document include:

API Application Programming Interface
CORS Cross-Origin Resource Sharing
COTS Commercial Off The Shelf
ER Engineering Report
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
JSON JavaScript Object Notation
OIDC OpenID Connect
OGC Open Geospatial Consortium
OSM OpenStreetMap
REST Representational State Transfer
TIE Technology Integration Experiment
TDS Topographic Data Store
URL Uniform Resource Locator
W3C World Wide Web Consortium
WWW World Wide Web
WFS Web Feature Service
YAML YAML Ain’t Markup Language

4. Overview

The objective of the Next Generation APIs - WFS 3.0 effort in Testbed-14 was to develop and test WFS 3.0. The initiative assessed OpenAPI, security based on OpenID Connect and OAuth 2.0 and WFS 3.0 extensions. The effort also began to assess methods to ease geospatial enterprise transition to next generation APIs.

This document contains the following sections:

Preface - This section presents information on administrative and legal aspects of this Engineering Report (ER).
Summary - This section presents information on scope, what this Engineering Report means for the OGC in general and document contributor contact points. It also provides forward-looking recommendations.
References - This section presents information on documents that are referenced in this Engineering Report.
Terms - This section presents information on terms and abbreviations that are used in this Engineering Report.
Background - This section presents background information on technologies implemented in this Engineering Report.
Experiments - This section presents information on the component implementations, architecture and the results of Technology Integration Experiments conducted.
Implementations - This section presents detailed information on service endpoints and applications implemented in this Engineering Report.
Extensions - This section presents information on extensions to the core API.
Findings - This section summarizes the findings. It also provides forward-looking recommendations.

5. Background

The objective of the Next Generation APIs - WFS 3.0 effort in Testbed-14 was to develop and test WFS 3.0. The goal was to experiment with the new WFS 3.0 specification, OpenAPI and Swagger and add security mechanisms based on OpenID Connect and OAuth 2.0. The effort also began to assess WFS 3.0 extensions and methods to ease geospatial enterprise transition to next generation APIs.

This section provides background information on WFS 3.0, OpenAPI, Swagger, OpenID Connect and OAuth 2.0 and an introduction to key technologies tested.

5.1. Introduction to WFS 3.0 and OpenAPI

The foundation of WFS 3.0 is a set of interfaces which define the 'core' of the specification. The core provides a simple API to access geospatial feature resources as 'collections'. For example, this path -

GET /collections

lists the collections on the server that can be queried. GeoJSON is a recommended encoding for collections provided by WFS 3.0, along with HTML. The core specification supports several basic filters such as the familiar bbox, the ability to get geographic features and time. For example, this path -

GET /collections/agriculturepnt

returns a geospatial feature collection - which is something in real-world terrain (i.e. buildings or roads). Feature collections are typically described by geometries plus other properties. This approach provides a resource-oriented way to access geospatial features.

In this approach, the feature resource is accessed using HTTP verbs the same way they are used in HTTP itself. Unique operations like GetFeature or Update are no longer used to access or modify feature resources. Instead, we use HTTP methods like GET, POST, PUT, DELETE - which can make things easier for API and client application developers.

HTTP status codes are used to handle error situations, describe specific security schemes and other functions.

The WFS 3.0 approach is consistent with emerging OGC Web API Guidelines. It is also consistent with the resource-oriented approach described in the Testbed-12 OGC REST Users Guide summarized below.

Figure 3. REST levels

Advanced functionality is separated into WFS 3.0 extensions. For example, vector tile delivery, transactions for updates and generalization of features at different resolutions are provided as WFS 3.0 extensions.

Each WFS 3.0 also deploys a landing page which provides easy-to-consume blocks of content describing the API, supported conformance classes and feature resources (collections) [1]. An example of Testbed-14 WFS 3.0 landing pages for the dataset over Daraa, Syria is shown below.

Figure 4. Example of Testbed-14 WFS 3.0 landing pages

The landing page is available at the 'root' path of a WFS 3.0. For example, it is simply this path -

GET /

WFS 3.0 minimizes the use of WFS-specific components as much as possible and instead uses industry standards that are commonly used by developers. The most important example of this is the use of OpenAPI documents instead of OGC-specific "Capabilities" documents. Accordingly, a key element of the initiative was an assessment of the ability of OpenAPI to provide a simple, language-agnostic description of the APIs. Testbed-14 also included TIEs to assess the ability of WFS 3.0 to support modern API specifications and tools such as Swagger.

An example of one of the Testbed-14 WFS 3.0 OpenAPI documents accessed in the Swagger UI is shown below.

Figure 5. An example of one of the Testbed-14 WFS 3.0 OpenAPI documents

The OpenAPI document is available at the 'root' path of the API. For example, it is simply this path -

GET /api

OpenAPI and Swagger allow both humans and computers to understand the capabilities of the API without access to source code, documentation or through network traffic inspection. In addition, OpenAPI documents can be used by code generation tools to generate servers and clients in various programming languages.

5.1.1. Transitioning to Next-Generation APIs

WFS 3.0 with OpenAPI is intended to help the geospatial community ‘break free of legacy’ and implement modern approaches that align with current Web architecture and Spatial Data on the Web Best Practices. However, a cutover capability should be available for geospatial enterprises to provide transition and legacy support.

To ease the transition for geospatial enterprises, Testbed-14 began assessing WFS versioning and facades. For example, some WFS 3.0 implementations also supported WFS 2.x, 1.1 etc. and exposed this functionality through facades. Facades can represent legacy OGC web services as resource oriented WFS 3.0 APIs, easing transition.

Figure 6. Facades

In addition, legacy data models may be complex, with properties that are seldom used by data producers. This can needlessly increase the size and complexity of datasets and reduce the ease of implementation. To address this challenge some WFS 3.0 in Testbed-14 implemented the ability to simplify feature resources exposed.

For example, the screenshot on the left below is from the Zaatari dataset, without additional configuration. the Topographic Data Store (TDS) OpenStreepMap dataset is presented as published in the WFS 2.0 servers, and all properties are delivered to applications. The screenshot on the right shows the same feature resource in the Daraa dataset after the configuration of the WFS 3.0 proxy service to simplify the data. Properties that are never present are not shown, labels have been changed to more human-friendly text, code values have been translated and the name has been set up as the label of a feature.

Figure 7. Zaatari and Daraa dataset screenshots

This section provided a brief introduction to WFS 3.0. Additional information on testing, implementations and security frameworks in Testbed-14 are provided in the Experiments and Implementations sections of this report.

5.2. OpenID Connect and OAuth 2.0

OpenAPI on WFS 3.0 supports multiple security frameworks. For Testbed-14, OpenID Connect and OAuth 2.0 were assessed. OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. OpenID Connect specifies a RESTful API using JSON as a data format. This section provides background information on OpenID Connect and OAuth 2.0 and an introduction to key technologies tested.

OAuth 2.0 provides a standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

5.2.1. OpenID Connect Security Environment

For Testbed-14, participants implemented an Authorization Server, which needs to be compliant with OAuth2.0 and OpenID Connect.

The authorization server adds registration and management capabilities (that populate the LDAP service) on top of the authorization endpoints and makes information about the service available by means of an OpenID Connect Discovery document that lies on a commonly used relative path (/.well-known/openid-configuration).

The Basic Authentication Service is made available for potential use on profile management, and can either use LDAP credentials or utilize the authentication and authorization scheme. The end-users can then interact with clients to retrieve tokens and access services. Additional information on the Testbed-14 OpenID Connect security environment is provided in the OGC Testbed-14 Security Engineering Report.

The configuration of OAuth2.0 and OpenID Connect in the Next Generation APIs - WFS 3.0 component implementation design is shown below. The client application with security handling is provided by GIS.FCU. The WFS 3.0 are provided by Interactive Instruments, GeoSolutions and Cubewerx. The authorization server is provided by Deimos.