Revision 999bf7b6 docs/design/pithos-view-authorization.rst
| b/docs/design/pithos-view-authorization.rst | ||
|---|---|---|
| 1 | 1 |
Serve untrusted user content |
| 2 | 2 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 3 | 3 |
|
| 4 |
The current document describes how the pithos view accesses the protected |
|
| 5 |
pithos resources and proposes a new design for granting access to |
|
| 6 |
the specific resources. It sketches implementation details and configuration |
|
| 7 |
concerns. |
|
| 8 |
|
|
| 9 |
Current state and shortcomings |
|
| 10 |
============================== |
|
| 11 |
|
|
| 12 |
Pithos in order to identify the user who requests to view a pithos resource |
|
| 13 |
uses the information stored by astakos in the cookie after a successful user |
|
| 14 |
authentication login. |
|
| 15 |
|
|
| 16 |
The main drawback of this design is that the pithos view which serves untrusted |
|
| 17 |
user content has access to the sensitive information stored in the cookie. |
|
| 18 |
|
|
| 19 |
Abstract |
|
| 20 |
======== |
|
| 21 |
|
|
| 4 | 22 |
We want to serve untrusted user content in a domain which does not have access |
| 5 |
to sensitive information. The information used by pithos view is set by astakos |
|
| 6 |
in the cookie after a successful user authentication login. Starting from |
|
| 7 |
synnefo version 0.15, the pithos view will be deployed in a domain outside the |
|
| 8 |
astakos cookie domain. The current document describes how the pithos view can |
|
| 9 |
grant access to the protected pithos resources. |
|
| 23 |
to sensitive information. Therefore, we would like the pithos view to be |
|
| 24 |
deployed in a domain outside the astakos cookie domain. |
|
| 25 |
|
|
| 26 |
We propose a design for the pithos view to grant access to the |
|
| 27 |
access-restricted resource without consulting the cookie. |
|
| 28 |
|
|
| 29 |
Briefly the pithos view will request a short-term access token for a specific |
|
| 30 |
resource from astakos. Before requesting the access token, the view should |
|
| 31 |
obtain an authorization grant (authorization code) from astakos, which will be |
|
| 32 |
presented by the view during the request for the access token. |
|
| 10 | 33 |
|
| 11 | 34 |
The proposed scheme follows the guidelines of the OAuth 2.0 authentication |
| 12 | 35 |
framework as described in http://tools.ietf.org/html/rfc6749/. |
| 13 | 36 |
|
| 14 |
Briefly the pithos view requests a short-term access token for a specific |
|
| 15 |
resource from astakos. Before requesting the access token, the view obtains |
|
| 16 |
an authorization grant (authorization code) from astakos, which is then |
|
| 17 |
presented by the view during the request for the access token. |
|
| 37 |
Proposed changes |
|
| 38 |
================ |
|
| 39 |
|
|
| 40 |
We propose to alter the view to obtain authorization according to the |
|
| 41 |
authorization code grant flow. |
|
| 42 |
|
|
| 43 |
The general flow includes the following steps: |
|
| 44 |
|
|
| 45 |
#. The user requests to view the content of the protected resource. |
|
| 46 |
#. The view requests an authorisation code from astakos by providing its |
|
| 47 |
identifier, the requested scope, and a redirection URI. |
|
| 48 |
#. Astakos authenticates the user and validates that the redirection URI |
|
| 49 |
matches with the registered redirect URIs of the view. |
|
| 50 |
As far as the pithos view is considered a trusted client, astakos grants the |
|
| 51 |
access request on behalf of the user. |
|
| 52 |
#. Astakos redirects the user-agent back to the view using the redirection URI |
|
| 53 |
provided earlier. The redirection URI includes an authorisation code. |
|
| 54 |
#. The view requests an access token from astakos by including the |
|
| 55 |
authorisation code in the request. The view also posts its client identifier |
|
| 56 |
and its client secret in order to authenticate itself with astakos. It also |
|
| 57 |
supplies the redirection URI used to obtain the authorisation code for |
|
| 58 |
verification. |
|
| 59 |
#. Astakos authenticates the view, validates the authorization code, |
|
| 60 |
and ensures that the redirection URI received matches the URI |
|
| 61 |
used to redirect the client. |
|
| 62 |
If valid, astakos responds back with an short-term access token. |
|
| 63 |
#. The view exchanges with astakos the access token for the information of the |
|
| 64 |
user to whom the authoritativeness was granted. |
|
| 65 |
#. The view responds with the resource contents if the user has access to the |
|
| 66 |
specific resource. |
|
| 67 |
|
|
| 68 |
Implementation details |
|
| 69 |
====================== |
|
| 18 | 70 |
|
| 19 | 71 |
Pithos view registration to astakos |
| 20 |
=================================== |
|
| 72 |
----------------------------------- |
|
| 73 |
|
|
| 21 | 74 |
The pithos view has to authenticate itself with astakos since the latter has to |
| 22 | 75 |
prevent serving requests by unknown/unauthorized clients. |
| 23 | 76 |
|
| ... | ... | |
| 39 | 92 |
|
| 40 | 93 |
|
| 41 | 94 |
Configure view credentials in pithos |
| 42 |
====================================
|
|
| 95 |
------------------------------------
|
|
| 43 | 96 |
|
| 44 | 97 |
To set the credentials issued to pithos view in order to authenticate itself |
| 45 | 98 |
with astakos during the resource access token generation procedure we have to |
| ... | ... | |
| 51 | 104 |
|
| 52 | 105 |
PITHOS_OAUTH2_CLIENT_CREDENTIALS = ('pithos-view', 12345)
|
| 53 | 106 |
|
| 54 |
Authorization Code Grant Flow |
|
| 55 |
============================= |
|
| 56 |
The general flow includes the following steps: |
|
| 57 |
|
|
| 58 |
#. The user requests to view the content of the protected resource. |
|
| 59 |
#. The view requests an authorisation code from astakos by providing its |
|
| 60 |
identifier, the requested scope, and a redirection URI. |
|
| 61 |
#. Astakos authenticates the user and validates that the redirection URI |
|
| 62 |
matches with the registered redirect URIs of the view. |
|
| 63 |
As far as the pithos view is considered a trusted client, astakos grants the |
|
| 64 |
access request on behalf of the user. |
|
| 65 |
#. Astakos redirects the user-agent back to the view using the redirection URI |
|
| 66 |
provided earlier. The redirection URI includes an authorisation code. |
|
| 67 |
#. The view requests an access token from astakos by including the |
|
| 68 |
authorisation code in the request. The view also posts its client identifier |
|
| 69 |
and its client secret in order to authenticate itself with astakos. It also |
|
| 70 |
supplies the redirection URI used to obtain the authorisation code for |
|
| 71 |
verification. |
|
| 72 |
#. Astakos authenticates the view, validates the authorization code, |
|
| 73 |
and ensures that the redirection URI received matches the URI |
|
| 74 |
used to redirect the client. |
|
| 75 |
If valid, astakos responds back with an short-term access token. |
|
| 76 |
#. The view exchanges with astakos the access token for the information of the |
|
| 77 |
user to whom the authoritativeness was granted. |
|
| 78 |
#. The view responds with the resource contents if the user has access to the |
|
| 79 |
specific resource. |
|
| 80 |
|
|
| 81 |
|
|
| 82 | 107 |
Authorization code request |
| 83 |
==========================
|
|
| 108 |
--------------------------
|
|
| 84 | 109 |
|
| 85 | 110 |
The view receives a request without either an access token or an authorization |
| 86 | 111 |
code. In that case it redirects to astakos's authorization endpoint by adding |
| ... | ... | |
| 105 | 130 |
Host: accounts.synnefo.live |
| 106 | 131 |
|
| 107 | 132 |
Access token request |
| 108 |
====================
|
|
| 133 |
--------------------
|
|
| 109 | 134 |
|
| 110 | 135 |
Astakos's authorization endpoint responses to a valid authorization code |
| 111 | 136 |
request by redirecting the user-agent back to the requested view |
| ... | ... | |
| 141 | 166 |
|
| 142 | 167 |
|
| 143 | 168 |
Access to the protected resource |
| 144 |
================================
|
|
| 169 |
--------------------------------
|
|
| 145 | 170 |
|
| 146 | 171 |
Astakos's token endpoint replies to a valid token request with a (200 OK) |
| 147 | 172 |
response:: |
| ... | ... | |
| 182 | 207 |
access to resource is forbidden. |
| 183 | 208 |
|
| 184 | 209 |
Authorization code and access token invalidation |
| 185 |
================================================
|
|
| 210 |
------------------------------------------------
|
|
| 186 | 211 |
|
| 187 | 212 |
Authorization codes can be used only once (they are deleted after a |
| 188 | 213 |
successful token creation) |
| ... | ... | |
| 196 | 221 |
Expired tokens presented to the validation endpoint are also deleted. |
| 197 | 222 |
|
| 198 | 223 |
Authorization code and access token length |
| 199 |
==========================================
|
|
| 224 |
------------------------------------------
|
|
| 200 | 225 |
|
| 201 | 226 |
Authorization code length is adjustable by the |
| 202 | 227 |
``OAUTH2_AUTHORIZATION_CODE_LENGTH`` setting. By default it is set to |
| ... | ... | |
| 206 | 231 |
By default it is set to 30 characters. |
| 207 | 232 |
|
| 208 | 233 |
Restrict file serving endpoints to a specific host |
| 209 |
==================================================
|
|
| 234 |
--------------------------------------------------
|
|
| 210 | 235 |
|
| 211 | 236 |
A new setting ``PITHOS_SERVE_API_DOMAIN`` has been introduced. When set, |
| 212 | 237 |
all api views that serve pithos file contents will be restricted to be served |
Also available in: Unified diff