root / docs / design / pithos-view-authorization.rst @ 999bf7b6
History | View | Annotate | Download (9.5 kB)
1 | 9f541b00 | Sofia Papagiannaki | Serve untrusted user content |
---|---|---|---|
2 | 9f541b00 | Sofia Papagiannaki | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
3 | 9f541b00 | Sofia Papagiannaki | |
4 | 999bf7b6 | Sofia Papagiannaki | The current document describes how the pithos view accesses the protected |
5 | 999bf7b6 | Sofia Papagiannaki | pithos resources and proposes a new design for granting access to |
6 | 999bf7b6 | Sofia Papagiannaki | the specific resources. It sketches implementation details and configuration |
7 | 999bf7b6 | Sofia Papagiannaki | concerns. |
8 | 999bf7b6 | Sofia Papagiannaki | |
9 | 999bf7b6 | Sofia Papagiannaki | Current state and shortcomings |
10 | 999bf7b6 | Sofia Papagiannaki | ============================== |
11 | 999bf7b6 | Sofia Papagiannaki | |
12 | 999bf7b6 | Sofia Papagiannaki | Pithos in order to identify the user who requests to view a pithos resource |
13 | 999bf7b6 | Sofia Papagiannaki | uses the information stored by astakos in the cookie after a successful user |
14 | 999bf7b6 | Sofia Papagiannaki | authentication login. |
15 | 999bf7b6 | Sofia Papagiannaki | |
16 | 999bf7b6 | Sofia Papagiannaki | The main drawback of this design is that the pithos view which serves untrusted |
17 | 999bf7b6 | Sofia Papagiannaki | user content has access to the sensitive information stored in the cookie. |
18 | 999bf7b6 | Sofia Papagiannaki | |
19 | 999bf7b6 | Sofia Papagiannaki | Abstract |
20 | 999bf7b6 | Sofia Papagiannaki | ======== |
21 | 999bf7b6 | Sofia Papagiannaki | |
22 | 9f541b00 | Sofia Papagiannaki | We want to serve untrusted user content in a domain which does not have access |
23 | 999bf7b6 | Sofia Papagiannaki | to sensitive information. Therefore, we would like the pithos view to be |
24 | 999bf7b6 | Sofia Papagiannaki | deployed in a domain outside the astakos cookie domain. |
25 | 999bf7b6 | Sofia Papagiannaki | |
26 | 999bf7b6 | Sofia Papagiannaki | We propose a design for the pithos view to grant access to the |
27 | 999bf7b6 | Sofia Papagiannaki | access-restricted resource without consulting the cookie. |
28 | 999bf7b6 | Sofia Papagiannaki | |
29 | 999bf7b6 | Sofia Papagiannaki | Briefly the pithos view will request a short-term access token for a specific |
30 | 999bf7b6 | Sofia Papagiannaki | resource from astakos. Before requesting the access token, the view should |
31 | 999bf7b6 | Sofia Papagiannaki | obtain an authorization grant (authorization code) from astakos, which will be |
32 | 999bf7b6 | Sofia Papagiannaki | presented by the view during the request for the access token. |
33 | 9f541b00 | Sofia Papagiannaki | |
34 | 5547485e | Sofia Papagiannaki | The proposed scheme follows the guidelines of the OAuth 2.0 authentication |
35 | 9f541b00 | Sofia Papagiannaki | framework as described in http://tools.ietf.org/html/rfc6749/. |
36 | 9f541b00 | Sofia Papagiannaki | |
37 | 999bf7b6 | Sofia Papagiannaki | Proposed changes |
38 | 999bf7b6 | Sofia Papagiannaki | ================ |
39 | 999bf7b6 | Sofia Papagiannaki | |
40 | 999bf7b6 | Sofia Papagiannaki | We propose to alter the view to obtain authorization according to the |
41 | 999bf7b6 | Sofia Papagiannaki | authorization code grant flow. |
42 | 999bf7b6 | Sofia Papagiannaki | |
43 | 999bf7b6 | Sofia Papagiannaki | The general flow includes the following steps: |
44 | 999bf7b6 | Sofia Papagiannaki | |
45 | 999bf7b6 | Sofia Papagiannaki | #. The user requests to view the content of the protected resource. |
46 | 999bf7b6 | Sofia Papagiannaki | #. The view requests an authorisation code from astakos by providing its |
47 | 999bf7b6 | Sofia Papagiannaki | identifier, the requested scope, and a redirection URI. |
48 | 999bf7b6 | Sofia Papagiannaki | #. Astakos authenticates the user and validates that the redirection URI |
49 | 999bf7b6 | Sofia Papagiannaki | matches with the registered redirect URIs of the view. |
50 | 999bf7b6 | Sofia Papagiannaki | As far as the pithos view is considered a trusted client, astakos grants the |
51 | 999bf7b6 | Sofia Papagiannaki | access request on behalf of the user. |
52 | 999bf7b6 | Sofia Papagiannaki | #. Astakos redirects the user-agent back to the view using the redirection URI |
53 | 999bf7b6 | Sofia Papagiannaki | provided earlier. The redirection URI includes an authorisation code. |
54 | 999bf7b6 | Sofia Papagiannaki | #. The view requests an access token from astakos by including the |
55 | 999bf7b6 | Sofia Papagiannaki | authorisation code in the request. The view also posts its client identifier |
56 | 999bf7b6 | Sofia Papagiannaki | and its client secret in order to authenticate itself with astakos. It also |
57 | 999bf7b6 | Sofia Papagiannaki | supplies the redirection URI used to obtain the authorisation code for |
58 | 999bf7b6 | Sofia Papagiannaki | verification. |
59 | 999bf7b6 | Sofia Papagiannaki | #. Astakos authenticates the view, validates the authorization code, |
60 | 999bf7b6 | Sofia Papagiannaki | and ensures that the redirection URI received matches the URI |
61 | 999bf7b6 | Sofia Papagiannaki | used to redirect the client. |
62 | 999bf7b6 | Sofia Papagiannaki | If valid, astakos responds back with an short-term access token. |
63 | 999bf7b6 | Sofia Papagiannaki | #. The view exchanges with astakos the access token for the information of the |
64 | 999bf7b6 | Sofia Papagiannaki | user to whom the authoritativeness was granted. |
65 | 999bf7b6 | Sofia Papagiannaki | #. The view responds with the resource contents if the user has access to the |
66 | 999bf7b6 | Sofia Papagiannaki | specific resource. |
67 | 999bf7b6 | Sofia Papagiannaki | |
68 | 999bf7b6 | Sofia Papagiannaki | Implementation details |
69 | 999bf7b6 | Sofia Papagiannaki | ====================== |
70 | 9f541b00 | Sofia Papagiannaki | |
71 | 9f541b00 | Sofia Papagiannaki | Pithos view registration to astakos |
72 | 999bf7b6 | Sofia Papagiannaki | ----------------------------------- |
73 | 999bf7b6 | Sofia Papagiannaki | |
74 | efdc8b01 | Sofia Papagiannaki | The pithos view has to authenticate itself with astakos since the latter has to |
75 | 9f541b00 | Sofia Papagiannaki | prevent serving requests by unknown/unauthorized clients. |
76 | 9f541b00 | Sofia Papagiannaki | |
77 | 9f541b00 | Sofia Papagiannaki | Each oauth client is identified by a client identifier (client_id). Moreover, |
78 | 9f541b00 | Sofia Papagiannaki | the confidential clients are authenticated via a password (client_secret). |
79 | 9f541b00 | Sofia Papagiannaki | Then, each client has to declare at least a redirect URI so |
80 | 9f541b00 | Sofia Papagiannaki | that astakos will be able to validate the redirect URI provided during the |
81 | 9f541b00 | Sofia Papagiannaki | authorization code request. If a client is trusted (like a pithos view) astakos |
82 | 9f541b00 | Sofia Papagiannaki | grants access on behalf of the resource owner, otherwise the resource owner has |
83 | 9f541b00 | Sofia Papagiannaki | to be asked. |
84 | 9f541b00 | Sofia Papagiannaki | |
85 | 9f541b00 | Sofia Papagiannaki | We can register an oauth 2.0 client with the following command:: |
86 | 9f541b00 | Sofia Papagiannaki | |
87 | 5547485e | Sofia Papagiannaki | snf-manage oauth2-client-add <client_id> --secret=<secret> --is-trusted --url <redirect_uri> |
88 | 9f541b00 | Sofia Papagiannaki | |
89 | 9f541b00 | Sofia Papagiannaki | For example:: |
90 | 9f541b00 | Sofia Papagiannaki | |
91 | 5547485e | Sofia Papagiannaki | snf-manage oauth2-client-add pithos-view --secret=12345 --is-trusted --url https://pithos.synnefo.live/pithos/ui/view |
92 | 9f541b00 | Sofia Papagiannaki | |
93 | 9f541b00 | Sofia Papagiannaki | |
94 | 9f541b00 | Sofia Papagiannaki | Configure view credentials in pithos |
95 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------ |
96 | 9f541b00 | Sofia Papagiannaki | |
97 | 9f541b00 | Sofia Papagiannaki | To set the credentials issued to pithos view in order to authenticate itself |
98 | 9f541b00 | Sofia Papagiannaki | with astakos during the resource access token generation procedure we have to |
99 | 5547485e | Sofia Papagiannaki | change the ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting. |
100 | 9f541b00 | Sofia Papagiannaki | |
101 | 9f541b00 | Sofia Papagiannaki | The value should be a (<client_id>, <client_secret>) tuple. |
102 | 9f541b00 | Sofia Papagiannaki | |
103 | 9f541b00 | Sofia Papagiannaki | For example:: |
104 | 9f541b00 | Sofia Papagiannaki | |
105 | 5547485e | Sofia Papagiannaki | PITHOS_OAUTH2_CLIENT_CREDENTIALS = ('pithos-view', 12345) |
106 | 9f541b00 | Sofia Papagiannaki | |
107 | 9f541b00 | Sofia Papagiannaki | Authorization code request |
108 | 999bf7b6 | Sofia Papagiannaki | -------------------------- |
109 | 9f541b00 | Sofia Papagiannaki | |
110 | 9f541b00 | Sofia Papagiannaki | The view receives a request without either an access token or an authorization |
111 | 9f541b00 | Sofia Papagiannaki | code. In that case it redirects to astakos's authorization endpoint by adding |
112 | 9f541b00 | Sofia Papagiannaki | the following parameters to the query component using the |
113 | 9f541b00 | Sofia Papagiannaki | "application/x-www-form-urlencoded" format: |
114 | 9f541b00 | Sofia Papagiannaki | |
115 | 9f541b00 | Sofia Papagiannaki | response_type: |
116 | 9f541b00 | Sofia Papagiannaki | 'code' |
117 | 9f541b00 | Sofia Papagiannaki | client_id: |
118 | 9f541b00 | Sofia Papagiannaki | 'pithos-view' |
119 | 9f541b00 | Sofia Papagiannaki | redirect_uri: |
120 | 9f541b00 | Sofia Papagiannaki | the absolute path of the view request |
121 | 9f541b00 | Sofia Papagiannaki | scope: |
122 | 9f541b00 | Sofia Papagiannaki | the user specific part of the view request path |
123 | 9f541b00 | Sofia Papagiannaki | |
124 | 9f541b00 | Sofia Papagiannaki | For example, the client directs the user-agent to make the following HTTP |
125 | 9f541b00 | Sofia Papagiannaki | request using TLS (with extra line breaks for display purposes only):: |
126 | 9f541b00 | Sofia Papagiannaki | |
127 | 5547485e | Sofia Papagiannaki | GET /astakos/oauth2/auth?response_type=code&client_id=pithos-view |
128 | 9f541b00 | Sofia Papagiannaki | &redirect_uri=https%3A//pithos.synnefo.live/pithos/ui/view/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png |
129 | 9f541b00 | Sofia Papagiannaki | &scope=/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png HTTP/1.1 |
130 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
131 | 9f541b00 | Sofia Papagiannaki | |
132 | 9f541b00 | Sofia Papagiannaki | Access token request |
133 | 999bf7b6 | Sofia Papagiannaki | -------------------- |
134 | 9f541b00 | Sofia Papagiannaki | |
135 | 9f541b00 | Sofia Papagiannaki | Astakos's authorization endpoint responses to a valid authorization code |
136 | 9f541b00 | Sofia Papagiannaki | request by redirecting the user-agent back to the requested view |
137 | 9f541b00 | Sofia Papagiannaki | (redirect_uri parameter). |
138 | 9f541b00 | Sofia Papagiannaki | |
139 | 9f541b00 | Sofia Papagiannaki | The view receives the request which includes the authorization code and |
140 | 9f541b00 | Sofia Papagiannaki | makes a POST request to the astakos's token endpoint by sending the following |
141 | 9f541b00 | Sofia Papagiannaki | parameters using the "application/x-www-form-urlencoded" format in the HTTP |
142 | 9f541b00 | Sofia Papagiannaki | request entity-body: |
143 | 9f541b00 | Sofia Papagiannaki | |
144 | 9f541b00 | Sofia Papagiannaki | grant_type: |
145 | 9f541b00 | Sofia Papagiannaki | "authorization_code" |
146 | 9f541b00 | Sofia Papagiannaki | code: |
147 | 9f541b00 | Sofia Papagiannaki | the authorization code received from the astakos. |
148 | 9f541b00 | Sofia Papagiannaki | redirect_uri: |
149 | 9f541b00 | Sofia Papagiannaki | the "redirect_uri" parameter was included in the authorization request |
150 | 9f541b00 | Sofia Papagiannaki | |
151 | 9f541b00 | Sofia Papagiannaki | Since the pithos view is registered as a confidential client it MUST |
152 | 5547485e | Sofia Papagiannaki | authenticate with astakos by providing an Authorization header including the |
153 | 5547485e | Sofia Papagiannaki | encoded client credentials as described in |
154 | 9f541b00 | Sofia Papagiannaki | http://tools.ietf.org/html/rfc2617#page-11. |
155 | 9f541b00 | Sofia Papagiannaki | |
156 | 9f541b00 | Sofia Papagiannaki | For example, the view makes the following HTTP request using TLS (with extra |
157 | 9f541b00 | Sofia Papagiannaki | line breaks for display purposes only):: |
158 | 9f541b00 | Sofia Papagiannaki | |
159 | 5547485e | Sofia Papagiannaki | POST /astakos/oauth2/token HTTP/1.1 |
160 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
161 | 9f541b00 | Sofia Papagiannaki | Authorization: Basic cGl0aG9zLXZpZXc6MTIzNDU= |
162 | 9f541b00 | Sofia Papagiannaki | Content-Type: application/x-www-form-urlencoded |
163 | 9f541b00 | Sofia Papagiannaki | |
164 | 9f541b00 | Sofia Papagiannaki | grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA |
165 | 9f541b00 | Sofia Papagiannaki | &redirect_uri=https%3A//pithos.synnefo.live/pithos/ui/view/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png |
166 | 9f541b00 | Sofia Papagiannaki | |
167 | 9f541b00 | Sofia Papagiannaki | |
168 | 9f541b00 | Sofia Papagiannaki | Access to the protected resource |
169 | 999bf7b6 | Sofia Papagiannaki | -------------------------------- |
170 | 9f541b00 | Sofia Papagiannaki | |
171 | 9f541b00 | Sofia Papagiannaki | Astakos's token endpoint replies to a valid token request with a (200 OK) |
172 | 9f541b00 | Sofia Papagiannaki | response:: |
173 | 9f541b00 | Sofia Papagiannaki | |
174 | 9f541b00 | Sofia Papagiannaki | HTTP/1.1 200 OK |
175 | 9f541b00 | Sofia Papagiannaki | Content-Type: application/json;charset=UTF-8 |
176 | 9f541b00 | Sofia Papagiannaki | Cache-Control: no-store |
177 | 9f541b00 | Sofia Papagiannaki | Pragma: no-cache |
178 | 9f541b00 | Sofia Papagiannaki | |
179 | 9f541b00 | Sofia Papagiannaki | { |
180 | 9f541b00 | Sofia Papagiannaki | "access_token":"2YotnFZFEjr1zCsicMWpAA", |
181 | 9f541b00 | Sofia Papagiannaki | "token_type":"Bearer", |
182 | 9f541b00 | Sofia Papagiannaki | "expires_in":20 |
183 | 9f541b00 | Sofia Papagiannaki | } |
184 | 9f541b00 | Sofia Papagiannaki | |
185 | 9f541b00 | Sofia Papagiannaki | The view redirects the user-agent to itself by adding to the query component |
186 | 9f541b00 | Sofia Papagiannaki | the access token. |
187 | 9f541b00 | Sofia Papagiannaki | |
188 | 9f541b00 | Sofia Papagiannaki | The view receives the request which includes an access token and requests |
189 | 9f541b00 | Sofia Papagiannaki | from astakos to validate the token by making a GET HTTP request to the |
190 | 9f541b00 | Sofia Papagiannaki | astakos's validation endpoint:: |
191 | 9f541b00 | Sofia Papagiannaki | |
192 | 9f541b00 | Sofia Papagiannaki | GET /astakos/identity/v2.0/tokens/2YotnFZFEjr1zCsicMWpAA?belongsTo=/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png HTTP/1.1 |
193 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
194 | 9f541b00 | Sofia Papagiannaki | |
195 | 9f541b00 | Sofia Papagiannaki | The astakos's validation endpoint checks whether the token is valid, has not |
196 | 9f541b00 | Sofia Papagiannaki | expired and that the ``belongsTo`` parameter matches with the ``scope`` |
197 | 9f541b00 | Sofia Papagiannaki | parameter that was included in the token request. |
198 | 9f541b00 | Sofia Papagiannaki | If not valid returns a 404 NOT FOUND response. |
199 | 9f541b00 | Sofia Papagiannaki | If valid, returns the information of the user to whom the token was assigned. |
200 | 9f541b00 | Sofia Papagiannaki | |
201 | 9f541b00 | Sofia Papagiannaki | In the former case the view redirects to the requested path |
202 | 9f541b00 | Sofia Papagiannaki | (without the access token or the authorization code) in order to re-initiate |
203 | 9f541b00 | Sofia Papagiannaki | the procedure by requesting an new authorization code. |
204 | 9f541b00 | Sofia Papagiannaki | |
205 | efdc8b01 | Sofia Papagiannaki | In the latter case the view proceeds with the request and if the user has access |
206 | 9f541b00 | Sofia Papagiannaki | to the requested resource the resource's data are returned, otherwise the |
207 | 9f541b00 | Sofia Papagiannaki | access to resource is forbidden. |
208 | 9f541b00 | Sofia Papagiannaki | |
209 | 9f541b00 | Sofia Papagiannaki | Authorization code and access token invalidation |
210 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------------------ |
211 | 9f541b00 | Sofia Papagiannaki | |
212 | 9f541b00 | Sofia Papagiannaki | Authorization codes can be used only once (they are deleted after a |
213 | 9f541b00 | Sofia Papagiannaki | successful token creation) |
214 | 9f541b00 | Sofia Papagiannaki | |
215 | 5547485e | Sofia Papagiannaki | Token expiration can be set by changing the ``OAUTH2_TOKEN_EXPIRES`` setting. |
216 | 9f541b00 | Sofia Papagiannaki | By default it is set to 20 seconds. |
217 | 9f541b00 | Sofia Papagiannaki | |
218 | 9f541b00 | Sofia Papagiannaki | Tokens granted to a user are deleted after user logout or authentication token |
219 | 9f541b00 | Sofia Papagiannaki | renewal. |
220 | 9f541b00 | Sofia Papagiannaki | |
221 | 9f541b00 | Sofia Papagiannaki | Expired tokens presented to the validation endpoint are also deleted. |
222 | 9f541b00 | Sofia Papagiannaki | |
223 | 9f541b00 | Sofia Papagiannaki | Authorization code and access token length |
224 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------------ |
225 | 9f541b00 | Sofia Papagiannaki | |
226 | 5547485e | Sofia Papagiannaki | Authorization code length is adjustable by the |
227 | 5547485e | Sofia Papagiannaki | ``OAUTH2_AUTHORIZATION_CODE_LENGTH`` setting. By default it is set to |
228 | 5547485e | Sofia Papagiannaki | 60 characters. |
229 | 9f541b00 | Sofia Papagiannaki | |
230 | 5547485e | Sofia Papagiannaki | Token length is adjustable by the ``OAUTH2_TOKEN_LENGTH`` setting. |
231 | 9f541b00 | Sofia Papagiannaki | By default it is set to 30 characters. |
232 | 9f541b00 | Sofia Papagiannaki | |
233 | 9f541b00 | Sofia Papagiannaki | Restrict file serving endpoints to a specific host |
234 | 999bf7b6 | Sofia Papagiannaki | -------------------------------------------------- |
235 | 9f541b00 | Sofia Papagiannaki | |
236 | 9f541b00 | Sofia Papagiannaki | A new setting ``PITHOS_SERVE_API_DOMAIN`` has been introduced. When set, |
237 | 9f541b00 | Sofia Papagiannaki | all api views that serve pithos file contents will be restricted to be served |
238 | 9f541b00 | Sofia Papagiannaki | only under the domain specified in the setting value. |
239 | 9f541b00 | Sofia Papagiannaki | |
240 | 9f541b00 | Sofia Papagiannaki | If an invalid host is identified and request HTTP method is one |
241 | 9f541b00 | Sofia Papagiannaki | of ``GET``, ``HOST``, the server will redirect using a clone of the request |
242 | 9f541b00 | Sofia Papagiannaki | with host replaced to the one the restriction applies to. |