Revision 999bf7b6 docs/design/pithos-view-authorization.rst
b/docs/design/pithos-view-authorization.rst | ||
---|---|---|
1 | 1 |
Serve untrusted user content |
2 | 2 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
3 | 3 |
|
4 |
The current document describes how the pithos view accesses the protected |
|
5 |
pithos resources and proposes a new design for granting access to |
|
6 |
the specific resources. It sketches implementation details and configuration |
|
7 |
concerns. |
|
8 |
|
|
9 |
Current state and shortcomings |
|
10 |
============================== |
|
11 |
|
|
12 |
Pithos in order to identify the user who requests to view a pithos resource |
|
13 |
uses the information stored by astakos in the cookie after a successful user |
|
14 |
authentication login. |
|
15 |
|
|
16 |
The main drawback of this design is that the pithos view which serves untrusted |
|
17 |
user content has access to the sensitive information stored in the cookie. |
|
18 |
|
|
19 |
Abstract |
|
20 |
======== |
|
21 |
|
|
4 | 22 |
We want to serve untrusted user content in a domain which does not have access |
5 |
to sensitive information. The information used by pithos view is set by astakos |
|
6 |
in the cookie after a successful user authentication login. Starting from |
|
7 |
synnefo version 0.15, the pithos view will be deployed in a domain outside the |
|
8 |
astakos cookie domain. The current document describes how the pithos view can |
|
9 |
grant access to the protected pithos resources. |
|
23 |
to sensitive information. Therefore, we would like the pithos view to be |
|
24 |
deployed in a domain outside the astakos cookie domain. |
|
25 |
|
|
26 |
We propose a design for the pithos view to grant access to the |
|
27 |
access-restricted resource without consulting the cookie. |
|
28 |
|
|
29 |
Briefly the pithos view will request a short-term access token for a specific |
|
30 |
resource from astakos. Before requesting the access token, the view should |
|
31 |
obtain an authorization grant (authorization code) from astakos, which will be |
|
32 |
presented by the view during the request for the access token. |
|
10 | 33 |
|
11 | 34 |
The proposed scheme follows the guidelines of the OAuth 2.0 authentication |
12 | 35 |
framework as described in http://tools.ietf.org/html/rfc6749/. |
13 | 36 |
|
14 |
Briefly the pithos view requests a short-term access token for a specific |
|
15 |
resource from astakos. Before requesting the access token, the view obtains |
|
16 |
an authorization grant (authorization code) from astakos, which is then |
|
17 |
presented by the view during the request for the access token. |
|
37 |
Proposed changes |
|
38 |
================ |
|
39 |
|
|
40 |
We propose to alter the view to obtain authorization according to the |
|
41 |
authorization code grant flow. |
|
42 |
|
|
43 |
The general flow includes the following steps: |
|
44 |
|
|
45 |
#. The user requests to view the content of the protected resource. |
|
46 |
#. The view requests an authorisation code from astakos by providing its |
|
47 |
identifier, the requested scope, and a redirection URI. |
|
48 |
#. Astakos authenticates the user and validates that the redirection URI |
|
49 |
matches with the registered redirect URIs of the view. |
|
50 |
As far as the pithos view is considered a trusted client, astakos grants the |
|
51 |
access request on behalf of the user. |
|
52 |
#. Astakos redirects the user-agent back to the view using the redirection URI |
|
53 |
provided earlier. The redirection URI includes an authorisation code. |
|
54 |
#. The view requests an access token from astakos by including the |
|
55 |
authorisation code in the request. The view also posts its client identifier |
|
56 |
and its client secret in order to authenticate itself with astakos. It also |
|
57 |
supplies the redirection URI used to obtain the authorisation code for |
|
58 |
verification. |
|
59 |
#. Astakos authenticates the view, validates the authorization code, |
|
60 |
and ensures that the redirection URI received matches the URI |
|
61 |
used to redirect the client. |
|
62 |
If valid, astakos responds back with an short-term access token. |
|
63 |
#. The view exchanges with astakos the access token for the information of the |
|
64 |
user to whom the authoritativeness was granted. |
|
65 |
#. The view responds with the resource contents if the user has access to the |
|
66 |
specific resource. |
|
67 |
|
|
68 |
Implementation details |
|
69 |
====================== |
|
18 | 70 |
|
19 | 71 |
Pithos view registration to astakos |
20 |
=================================== |
|
72 |
----------------------------------- |
|
73 |
|
|
21 | 74 |
The pithos view has to authenticate itself with astakos since the latter has to |
22 | 75 |
prevent serving requests by unknown/unauthorized clients. |
23 | 76 |
|
... | ... | |
39 | 92 |
|
40 | 93 |
|
41 | 94 |
Configure view credentials in pithos |
42 |
====================================
|
|
95 |
------------------------------------
|
|
43 | 96 |
|
44 | 97 |
To set the credentials issued to pithos view in order to authenticate itself |
45 | 98 |
with astakos during the resource access token generation procedure we have to |
... | ... | |
51 | 104 |
|
52 | 105 |
PITHOS_OAUTH2_CLIENT_CREDENTIALS = ('pithos-view', 12345) |
53 | 106 |
|
54 |
Authorization Code Grant Flow |
|
55 |
============================= |
|
56 |
The general flow includes the following steps: |
|
57 |
|
|
58 |
#. The user requests to view the content of the protected resource. |
|
59 |
#. The view requests an authorisation code from astakos by providing its |
|
60 |
identifier, the requested scope, and a redirection URI. |
|
61 |
#. Astakos authenticates the user and validates that the redirection URI |
|
62 |
matches with the registered redirect URIs of the view. |
|
63 |
As far as the pithos view is considered a trusted client, astakos grants the |
|
64 |
access request on behalf of the user. |
|
65 |
#. Astakos redirects the user-agent back to the view using the redirection URI |
|
66 |
provided earlier. The redirection URI includes an authorisation code. |
|
67 |
#. The view requests an access token from astakos by including the |
|
68 |
authorisation code in the request. The view also posts its client identifier |
|
69 |
and its client secret in order to authenticate itself with astakos. It also |
|
70 |
supplies the redirection URI used to obtain the authorisation code for |
|
71 |
verification. |
|
72 |
#. Astakos authenticates the view, validates the authorization code, |
|
73 |
and ensures that the redirection URI received matches the URI |
|
74 |
used to redirect the client. |
|
75 |
If valid, astakos responds back with an short-term access token. |
|
76 |
#. The view exchanges with astakos the access token for the information of the |
|
77 |
user to whom the authoritativeness was granted. |
|
78 |
#. The view responds with the resource contents if the user has access to the |
|
79 |
specific resource. |
|
80 |
|
|
81 |
|
|
82 | 107 |
Authorization code request |
83 |
==========================
|
|
108 |
--------------------------
|
|
84 | 109 |
|
85 | 110 |
The view receives a request without either an access token or an authorization |
86 | 111 |
code. In that case it redirects to astakos's authorization endpoint by adding |
... | ... | |
105 | 130 |
Host: accounts.synnefo.live |
106 | 131 |
|
107 | 132 |
Access token request |
108 |
====================
|
|
133 |
--------------------
|
|
109 | 134 |
|
110 | 135 |
Astakos's authorization endpoint responses to a valid authorization code |
111 | 136 |
request by redirecting the user-agent back to the requested view |
... | ... | |
141 | 166 |
|
142 | 167 |
|
143 | 168 |
Access to the protected resource |
144 |
================================
|
|
169 |
--------------------------------
|
|
145 | 170 |
|
146 | 171 |
Astakos's token endpoint replies to a valid token request with a (200 OK) |
147 | 172 |
response:: |
... | ... | |
182 | 207 |
access to resource is forbidden. |
183 | 208 |
|
184 | 209 |
Authorization code and access token invalidation |
185 |
================================================
|
|
210 |
------------------------------------------------
|
|
186 | 211 |
|
187 | 212 |
Authorization codes can be used only once (they are deleted after a |
188 | 213 |
successful token creation) |
... | ... | |
196 | 221 |
Expired tokens presented to the validation endpoint are also deleted. |
197 | 222 |
|
198 | 223 |
Authorization code and access token length |
199 |
==========================================
|
|
224 |
------------------------------------------
|
|
200 | 225 |
|
201 | 226 |
Authorization code length is adjustable by the |
202 | 227 |
``OAUTH2_AUTHORIZATION_CODE_LENGTH`` setting. By default it is set to |
... | ... | |
206 | 231 |
By default it is set to 30 characters. |
207 | 232 |
|
208 | 233 |
Restrict file serving endpoints to a specific host |
209 |
==================================================
|
|
234 |
--------------------------------------------------
|
|
210 | 235 |
|
211 | 236 |
A new setting ``PITHOS_SERVE_API_DOMAIN`` has been introduced. When set, |
212 | 237 |
all api views that serve pithos file contents will be restricted to be served |
Also available in: Unified diff