OpenCloudMesh Summary

Jun 6, 2025

OpenCloudMesh is an established standard for sharing access to files and other resources. It's used in well known applications like Nextcloud, Owncloud, EOS and Seafile and proven by large scale deployments in organisations as Sciebo, GÉANT and CERN. While OpenCloudMesh is focused on file sharing, it is also capable of managing shares based on any other access protocol.

Establishing Trust

The operator of an OpenGeoMesh server can control which feature collections can be shared with which recipients. By using the optional OCM Invite Flow of OpenCloudMesh, sharing can be restricted to trusted partners.

  sequenceDiagram
    title OCM Invite Flow 
    actor Alice
    participant A as OCM Server A<br/>(Invite Sender)
    participant B as OCM Server B<br/>(Invite Receiver)
    actor Bob
    Alice ->> +A: Create Invite Message
    A -->> -Alice: Invite Message with token
    Alice ->> Bob: Invite Message, Out of Band, e.g. via Mail
    Bob ->> +B: Invite Acceptance Gesture
    B ->> +A: OCM API Discovery
    A -->> -B: API Info (e.g. Organisation Name)
    B ->> B: check trust policy
    B ->> +A: Invite Acceptance Request
    A ->> A: check trust policy
    A -->> B: Invite Acceptance Response
    A ->> -A: Add B to allowlist
    B ->> B: Add A to allowlist
    B -->> -Bob: Response

Creating a Share

Users of one organisation can create shares for users and groups from other organisations using the recipients OCM Address. OCM Addresses for users and groups are defined by the operator of the receiving server, e.g. user-id@feuerwehr-musterstadt.de, FFW-Musterstadt@situation-map-software.com or Einsatzleitung.FFW-Musterstadt@situation-map-software.com.

When creating a share, it must be first checked if the sending party is authorized to grant read or write access for the given feature collection to the receiving party.

  sequenceDiagram
    title OCM Create Share (Extended by OGM specific access checks)
    actor Alice as Alice<br/>(Sending Party)
    participant A as OCM Server A<br/>(Sending Server)
    participant A_ogc as OGC API Server A
    participant B as OCM Server B<br/>(Receiving Server)
    actor Bob as Bob<br/>(Receiving Party)
    Alice ->> +A: Sharing Gesture<br/>(Resource to be shared, Receiving Party's identifier, ...)
    A ->> A: check allowlist
    A ->> +A_ogc: Get Collection
    A_ogc -->> -A: Collection name, description, permissions
    A ->> A: check permissions
    A ->> B: OCM API Discovery<br/>(skipped when details are stored in allowlist)
    B -->> A: API Info (e.g. Organisation Name)
    A ->> A: Store new Share Info
    A ->> +B: Share Creation Notification</br>with protocol "ogcapi"
    B ->> B: check allowlist
    B ->> Bob: Receiving Party Notification
    Bob -->> B: Acceptance
    B ->> A: OCM API Discovery<br/>(skipped when details are available)
    A -->> B: API Info (e.g. Organisation Name)
    B ->> A: Share Acceptance Notification
https://opengeomesh.org/posts/feed.xml