# Federation API
The general contract is the openEO API (opens new window) in the latest stable version of the 1.x branch.
The aggregator that proxies the back-ends in the federation also implements the same API, but it also implements the "Federation Extension" (currently in draft state).
# Authentication and authorization
This important aspect of the federation is standardized by the AARC Blueprint Architecture (opens new window). EGI Check-in is the concrete implementation that is currently in use.
The openEO platform federation standardizes on the use of EGI Check-in (opens new window) as identity provider. Backends have to support the use of openID connect + PKCE, to enable this and register a client with EGI Check-in.
Users of the federation are organized under the 'vo.openeo.cloud' virtual organization in EGI Check-in. Inside the virtual organization, different roles can be assigned to a user, to indicate that they have a certain subscription, or even on a more fine-grained level are entitled to specific actions or resources. The mechanism to check this, is again supported by EGI Check-in, under the 'eduperson_entitlement' claim: https://docs.egi.eu/providers/check-in/sp/#claims
The second criterium for authorization is based on credits that are available to a user. Credits allow the platform to limit the volume of data access and processing operations that a user can perform during a given time frame. The amount of available credits depends on the subscription. When the credit balance of a user goes below zero, processing operations can be blocked.
# Aggregator rules
Based on the subscription and available credits, the aggregator can implement these rules:
- Credit checks to block starting of batch jobs, synchronous requests to /result and viewing services.
- Rate limiting (TBD)
# Backend rules
Some authorization rules will need to be enforced by the backends themselves:
- Basic access and access to user specific resources based on subscription role.
- Number of concurrent batch jobs
- Available processing resources, batch job priorities
- Batch job result data volume
- Access to restricted collections