root / docs / design / pithos-separate-view-domain.rst @ d8e8581b
History | View | Annotate | Download (9.5 kB)
1 | d8e8581b | Constantinos Venetsanopoulos | Pithos separate view domain |
---|---|---|---|
2 | d8e8581b | Constantinos Venetsanopoulos | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
3 | 9f541b00 | Sofia Papagiannaki | |
4 | d8e8581b | Constantinos Venetsanopoulos | This document describes how the Pithos view accesses the protected Pithos |
5 | d8e8581b | Constantinos Venetsanopoulos | resources and proposes a new design for granting access to specific resources. |
6 | d8e8581b | Constantinos Venetsanopoulos | It sketches implementation details and configuration concerns. |
7 | 999bf7b6 | Sofia Papagiannaki | |
8 | 999bf7b6 | Sofia Papagiannaki | |
9 | 999bf7b6 | Sofia Papagiannaki | Abstract |
10 | 999bf7b6 | Sofia Papagiannaki | ======== |
11 | 999bf7b6 | Sofia Papagiannaki | |
12 | 9f541b00 | Sofia Papagiannaki | We want to serve untrusted user content in a domain which does not have access |
13 | d8e8581b | Constantinos Venetsanopoulos | to sensitive information. Therefore, we would like the Pithos view to be |
14 | d8e8581b | Constantinos Venetsanopoulos | deployed in a domain outside the Astakos cookie domain. |
15 | 999bf7b6 | Sofia Papagiannaki | |
16 | d8e8581b | Constantinos Venetsanopoulos | We propose a design for the Pithos view to grant access to the |
17 | 999bf7b6 | Sofia Papagiannaki | access-restricted resource without consulting the cookie. |
18 | 999bf7b6 | Sofia Papagiannaki | |
19 | d8e8581b | Constantinos Venetsanopoulos | Briefly, the Pithos view will request a short-term access token for a specific |
20 | d8e8581b | Constantinos Venetsanopoulos | resource from Astakos. Before requesting the access token, the view should |
21 | d8e8581b | Constantinos Venetsanopoulos | obtain an authorization grant (authorization code) from Astakos, which will be |
22 | 999bf7b6 | Sofia Papagiannaki | presented by the view during the request for the access token. |
23 | 9f541b00 | Sofia Papagiannaki | |
24 | 5547485e | Sofia Papagiannaki | The proposed scheme follows the guidelines of the OAuth 2.0 authentication |
25 | 9f541b00 | Sofia Papagiannaki | framework as described in http://tools.ietf.org/html/rfc6749/. |
26 | 9f541b00 | Sofia Papagiannaki | |
27 | d8e8581b | Constantinos Venetsanopoulos | |
28 | d8e8581b | Constantinos Venetsanopoulos | Current state and shortcomings |
29 | d8e8581b | Constantinos Venetsanopoulos | ============================== |
30 | d8e8581b | Constantinos Venetsanopoulos | |
31 | d8e8581b | Constantinos Venetsanopoulos | Until now, Pithos, in order to identify the user who requests to view a Pithos |
32 | d8e8581b | Constantinos Venetsanopoulos | resource, uses the information stored by Astakos in the cookie after a |
33 | d8e8581b | Constantinos Venetsanopoulos | successful user authentication login. |
34 | d8e8581b | Constantinos Venetsanopoulos | |
35 | d8e8581b | Constantinos Venetsanopoulos | The main drawback of this design is that the Pithos view which serves untrusted |
36 | d8e8581b | Constantinos Venetsanopoulos | user content has access to the sensitive information stored in the Astakos |
37 | d8e8581b | Constantinos Venetsanopoulos | cookie. |
38 | d8e8581b | Constantinos Venetsanopoulos | |
39 | d8e8581b | Constantinos Venetsanopoulos | |
40 | 999bf7b6 | Sofia Papagiannaki | Proposed changes |
41 | 999bf7b6 | Sofia Papagiannaki | ================ |
42 | 999bf7b6 | Sofia Papagiannaki | |
43 | d8e8581b | Constantinos Venetsanopoulos | We propose to alter the Pithos view to obtain authorization according to the |
44 | 999bf7b6 | Sofia Papagiannaki | authorization code grant flow. |
45 | 999bf7b6 | Sofia Papagiannaki | |
46 | d8e8581b | Constantinos Venetsanopoulos | The general flow comprises the following steps: |
47 | 999bf7b6 | Sofia Papagiannaki | |
48 | d8e8581b | Constantinos Venetsanopoulos | #. The user requests to view the content of a protected resource. |
49 | d8e8581b | Constantinos Venetsanopoulos | #. The view requests an authorization code from Astakos by providing its |
50 | 999bf7b6 | Sofia Papagiannaki | identifier, the requested scope, and a redirection URI. |
51 | 999bf7b6 | Sofia Papagiannaki | #. Astakos authenticates the user and validates that the redirection URI |
52 | 999bf7b6 | Sofia Papagiannaki | matches with the registered redirect URIs of the view. |
53 | d8e8581b | Constantinos Venetsanopoulos | Once the Pithos view is considered a trusted client, Astakos grants the |
54 | 999bf7b6 | Sofia Papagiannaki | access request on behalf of the user. |
55 | 999bf7b6 | Sofia Papagiannaki | #. Astakos redirects the user-agent back to the view using the redirection URI |
56 | 999bf7b6 | Sofia Papagiannaki | provided earlier. The redirection URI includes an authorisation code. |
57 | d8e8581b | Constantinos Venetsanopoulos | #. The view requests an access token from Astakos by including the |
58 | 999bf7b6 | Sofia Papagiannaki | authorisation code in the request. The view also posts its client identifier |
59 | d8e8581b | Constantinos Venetsanopoulos | and its client secret in order to authenticate itself with Astakos. It also |
60 | 999bf7b6 | Sofia Papagiannaki | supplies the redirection URI used to obtain the authorisation code for |
61 | 999bf7b6 | Sofia Papagiannaki | verification. |
62 | d8e8581b | Constantinos Venetsanopoulos | #. Astakos authenticates the view, validates the authorization code, and ensures |
63 | d8e8581b | Constantinos Venetsanopoulos | that the redirection URI received matches the URI used to redirect the |
64 | d8e8581b | Constantinos Venetsanopoulos | client. If valid, Astakos responds back with a short-term access token. |
65 | d8e8581b | Constantinos Venetsanopoulos | #. The view exchanges with Astakos the access token for the information of the |
66 | 999bf7b6 | Sofia Papagiannaki | user to whom the authoritativeness was granted. |
67 | 999bf7b6 | Sofia Papagiannaki | #. The view responds with the resource contents if the user has access to the |
68 | 999bf7b6 | Sofia Papagiannaki | specific resource. |
69 | 999bf7b6 | Sofia Papagiannaki | |
70 | d8e8581b | Constantinos Venetsanopoulos | |
71 | 999bf7b6 | Sofia Papagiannaki | Implementation details |
72 | 999bf7b6 | Sofia Papagiannaki | ====================== |
73 | 9f541b00 | Sofia Papagiannaki | |
74 | d8e8581b | Constantinos Venetsanopoulos | Pithos view registration to Astakos |
75 | 999bf7b6 | Sofia Papagiannaki | ----------------------------------- |
76 | 999bf7b6 | Sofia Papagiannaki | |
77 | d8e8581b | Constantinos Venetsanopoulos | The Pithos view has to authenticate itself with Astakos since the latter has to |
78 | 9f541b00 | Sofia Papagiannaki | prevent serving requests by unknown/unauthorized clients. |
79 | 9f541b00 | Sofia Papagiannaki | |
80 | d8e8581b | Constantinos Venetsanopoulos | Each OAuth client is identified by a client identifier (``client_id``). |
81 | d8e8581b | Constantinos Venetsanopoulos | Moreover, the confidential clients are authenticated via a password |
82 | d8e8581b | Constantinos Venetsanopoulos | (``client_secret``). Then, each client has to declare at least one redirect |
83 | d8e8581b | Constantinos Venetsanopoulos | URI, so that Astakos will be able to validate the redirect URI provided during |
84 | d8e8581b | Constantinos Venetsanopoulos | the authorization code request. If a client is trusted (like the Pithos view), |
85 | d8e8581b | Constantinos Venetsanopoulos | Astakos grants access on behalf of the resource owner, otherwise the resource |
86 | d8e8581b | Constantinos Venetsanopoulos | owner has to be asked. |
87 | 9f541b00 | Sofia Papagiannaki | |
88 | d8e8581b | Constantinos Venetsanopoulos | We register an OAuth 2.0 client with the following command:: |
89 | 9f541b00 | Sofia Papagiannaki | |
90 | 5547485e | Sofia Papagiannaki | snf-manage oauth2-client-add <client_id> --secret=<secret> --is-trusted --url <redirect_uri> |
91 | 9f541b00 | Sofia Papagiannaki | |
92 | 9f541b00 | Sofia Papagiannaki | For example:: |
93 | 9f541b00 | Sofia Papagiannaki | |
94 | 5547485e | Sofia Papagiannaki | snf-manage oauth2-client-add pithos-view --secret=12345 --is-trusted --url https://pithos.synnefo.live/pithos/ui/view |
95 | 9f541b00 | Sofia Papagiannaki | |
96 | d8e8581b | Constantinos Venetsanopoulos | Configure view credentials in Pithos |
97 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------ |
98 | 9f541b00 | Sofia Papagiannaki | |
99 | d8e8581b | Constantinos Venetsanopoulos | We set the credentials used by the Pithos view to authenticate itself |
100 | d8e8581b | Constantinos Venetsanopoulos | with Astakos during the resource access token generation procedure, in the |
101 | d8e8581b | Constantinos Venetsanopoulos | ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting. |
102 | 9f541b00 | Sofia Papagiannaki | |
103 | d8e8581b | Constantinos Venetsanopoulos | The value should be a ``(<client_id>, <client_secret>)`` tuple. |
104 | 9f541b00 | Sofia Papagiannaki | |
105 | 9f541b00 | Sofia Papagiannaki | For example:: |
106 | 9f541b00 | Sofia Papagiannaki | |
107 | d8e8581b | Constantinos Venetsanopoulos | PITHOS_OAUTH2_CLIENT_CREDENTIALS = ("pithos-view", 12345) |
108 | 9f541b00 | Sofia Papagiannaki | |
109 | 9f541b00 | Sofia Papagiannaki | Authorization code request |
110 | 999bf7b6 | Sofia Papagiannaki | -------------------------- |
111 | 9f541b00 | Sofia Papagiannaki | |
112 | 9f541b00 | Sofia Papagiannaki | The view receives a request without either an access token or an authorization |
113 | d8e8581b | Constantinos Venetsanopoulos | code. In that case it redirects to Astakos' authorization endpoint by adding |
114 | 9f541b00 | Sofia Papagiannaki | the following parameters to the query component using the |
115 | d8e8581b | Constantinos Venetsanopoulos | ``application/x-www-form-urlencoded`` format: |
116 | d8e8581b | Constantinos Venetsanopoulos | |
117 | d8e8581b | Constantinos Venetsanopoulos | :: |
118 | 9f541b00 | Sofia Papagiannaki | |
119 | 9f541b00 | Sofia Papagiannaki | response_type: |
120 | 9f541b00 | Sofia Papagiannaki | 'code' |
121 | 9f541b00 | Sofia Papagiannaki | client_id: |
122 | 9f541b00 | Sofia Papagiannaki | 'pithos-view' |
123 | 9f541b00 | Sofia Papagiannaki | redirect_uri: |
124 | 9f541b00 | Sofia Papagiannaki | the absolute path of the view request |
125 | 9f541b00 | Sofia Papagiannaki | scope: |
126 | 9f541b00 | Sofia Papagiannaki | the user specific part of the view request path |
127 | 9f541b00 | Sofia Papagiannaki | |
128 | 9f541b00 | Sofia Papagiannaki | For example, the client directs the user-agent to make the following HTTP |
129 | 9f541b00 | Sofia Papagiannaki | request using TLS (with extra line breaks for display purposes only):: |
130 | 9f541b00 | Sofia Papagiannaki | |
131 | 5547485e | Sofia Papagiannaki | GET /astakos/oauth2/auth?response_type=code&client_id=pithos-view |
132 | 9f541b00 | Sofia Papagiannaki | &redirect_uri=https%3A//pithos.synnefo.live/pithos/ui/view/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png |
133 | 9f541b00 | Sofia Papagiannaki | &scope=/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png HTTP/1.1 |
134 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
135 | 9f541b00 | Sofia Papagiannaki | |
136 | 9f541b00 | Sofia Papagiannaki | Access token request |
137 | 999bf7b6 | Sofia Papagiannaki | -------------------- |
138 | 9f541b00 | Sofia Papagiannaki | |
139 | d8e8581b | Constantinos Venetsanopoulos | Astakos' authorization endpoint responses to a valid authorization code |
140 | 9f541b00 | Sofia Papagiannaki | request by redirecting the user-agent back to the requested view |
141 | d8e8581b | Constantinos Venetsanopoulos | (``redirect_uri`` parameter). |
142 | 9f541b00 | Sofia Papagiannaki | |
143 | 9f541b00 | Sofia Papagiannaki | The view receives the request which includes the authorization code and |
144 | d8e8581b | Constantinos Venetsanopoulos | makes a POST request to the Astakos' token endpoint by sending the following |
145 | d8e8581b | Constantinos Venetsanopoulos | parameters using the ``application/x-www-form-urlencoded`` format in the HTTP |
146 | 9f541b00 | Sofia Papagiannaki | request entity-body: |
147 | 9f541b00 | Sofia Papagiannaki | |
148 | d8e8581b | Constantinos Venetsanopoulos | :: |
149 | d8e8581b | Constantinos Venetsanopoulos | |
150 | 9f541b00 | Sofia Papagiannaki | grant_type: |
151 | 9f541b00 | Sofia Papagiannaki | "authorization_code" |
152 | 9f541b00 | Sofia Papagiannaki | code: |
153 | d8e8581b | Constantinos Venetsanopoulos | the authorization code received from the Astakos. |
154 | 9f541b00 | Sofia Papagiannaki | redirect_uri: |
155 | 9f541b00 | Sofia Papagiannaki | the "redirect_uri" parameter was included in the authorization request |
156 | 9f541b00 | Sofia Papagiannaki | |
157 | d8e8581b | Constantinos Venetsanopoulos | Since the Pithos view is registered as a confidential client it MUST |
158 | d8e8581b | Constantinos Venetsanopoulos | authenticate with Astakos by providing an Authorization header including the |
159 | 5547485e | Sofia Papagiannaki | encoded client credentials as described in |
160 | 9f541b00 | Sofia Papagiannaki | http://tools.ietf.org/html/rfc2617#page-11. |
161 | 9f541b00 | Sofia Papagiannaki | |
162 | 9f541b00 | Sofia Papagiannaki | For example, the view makes the following HTTP request using TLS (with extra |
163 | 9f541b00 | Sofia Papagiannaki | line breaks for display purposes only):: |
164 | 9f541b00 | Sofia Papagiannaki | |
165 | d8e8581b | Constantinos Venetsanopoulos | |
166 | 5547485e | Sofia Papagiannaki | POST /astakos/oauth2/token HTTP/1.1 |
167 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
168 | 9f541b00 | Sofia Papagiannaki | Authorization: Basic cGl0aG9zLXZpZXc6MTIzNDU= |
169 | 9f541b00 | Sofia Papagiannaki | Content-Type: application/x-www-form-urlencoded |
170 | 9f541b00 | Sofia Papagiannaki | |
171 | 9f541b00 | Sofia Papagiannaki | grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA |
172 | 9f541b00 | Sofia Papagiannaki | &redirect_uri=https%3A//pithos.synnefo.live/pithos/ui/view/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png |
173 | 9f541b00 | Sofia Papagiannaki | |
174 | 9f541b00 | Sofia Papagiannaki | Access to the protected resource |
175 | 999bf7b6 | Sofia Papagiannaki | -------------------------------- |
176 | 9f541b00 | Sofia Papagiannaki | |
177 | d8e8581b | Constantinos Venetsanopoulos | Astakos' token endpoint replies to a valid token request with a `200 OK` |
178 | 9f541b00 | Sofia Papagiannaki | response:: |
179 | 9f541b00 | Sofia Papagiannaki | |
180 | 9f541b00 | Sofia Papagiannaki | HTTP/1.1 200 OK |
181 | 9f541b00 | Sofia Papagiannaki | Content-Type: application/json;charset=UTF-8 |
182 | 9f541b00 | Sofia Papagiannaki | Cache-Control: no-store |
183 | 9f541b00 | Sofia Papagiannaki | Pragma: no-cache |
184 | 9f541b00 | Sofia Papagiannaki | |
185 | 9f541b00 | Sofia Papagiannaki | { |
186 | 9f541b00 | Sofia Papagiannaki | "access_token":"2YotnFZFEjr1zCsicMWpAA", |
187 | 9f541b00 | Sofia Papagiannaki | "token_type":"Bearer", |
188 | 9f541b00 | Sofia Papagiannaki | "expires_in":20 |
189 | 9f541b00 | Sofia Papagiannaki | } |
190 | 9f541b00 | Sofia Papagiannaki | |
191 | 9f541b00 | Sofia Papagiannaki | The view redirects the user-agent to itself by adding to the query component |
192 | 9f541b00 | Sofia Papagiannaki | the access token. |
193 | 9f541b00 | Sofia Papagiannaki | |
194 | 9f541b00 | Sofia Papagiannaki | The view receives the request which includes an access token and requests |
195 | d8e8581b | Constantinos Venetsanopoulos | from Astakos to validate the token by making a GET HTTP request to the |
196 | d8e8581b | Constantinos Venetsanopoulos | Astakos' validation endpoint:: |
197 | 9f541b00 | Sofia Papagiannaki | |
198 | 9f541b00 | Sofia Papagiannaki | GET /astakos/identity/v2.0/tokens/2YotnFZFEjr1zCsicMWpAA?belongsTo=/b0ee4760-9451-4b9a-85f0-605c48bebbdd/pithos/image.png HTTP/1.1 |
199 | 9f541b00 | Sofia Papagiannaki | Host: accounts.synnefo.live |
200 | 9f541b00 | Sofia Papagiannaki | |
201 | d8e8581b | Constantinos Venetsanopoulos | The Astakos' validation endpoint checks whether the token is valid, has not |
202 | 9f541b00 | Sofia Papagiannaki | expired and that the ``belongsTo`` parameter matches with the ``scope`` |
203 | d8e8581b | Constantinos Venetsanopoulos | parameter that was included in the token request. If not valid returns a `404 |
204 | d8e8581b | Constantinos Venetsanopoulos | NOT FOUND` response. If valid, returns the information of the user to whom the |
205 | d8e8581b | Constantinos Venetsanopoulos | token was assigned. |
206 | 9f541b00 | Sofia Papagiannaki | |
207 | d8e8581b | Constantinos Venetsanopoulos | In the former case the view redirects to the requested path (without the access |
208 | d8e8581b | Constantinos Venetsanopoulos | token or the authorization code) in order to re-initiate the procedure by |
209 | d8e8581b | Constantinos Venetsanopoulos | requesting an new authorization code. |
210 | 9f541b00 | Sofia Papagiannaki | |
211 | d8e8581b | Constantinos Venetsanopoulos | In the latter case, the view proceeds with the request and if the user has |
212 | d8e8581b | Constantinos Venetsanopoulos | access to the requested resource the resource's data are returned, otherwise |
213 | d8e8581b | Constantinos Venetsanopoulos | the access to the resource is forbidden. |
214 | 9f541b00 | Sofia Papagiannaki | |
215 | 9f541b00 | Sofia Papagiannaki | Authorization code and access token invalidation |
216 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------------------ |
217 | 9f541b00 | Sofia Papagiannaki | |
218 | d8e8581b | Constantinos Venetsanopoulos | Authorization codes can be used only once (they are deleted after a successful |
219 | d8e8581b | Constantinos Venetsanopoulos | token creation) |
220 | 9f541b00 | Sofia Papagiannaki | |
221 | 5547485e | Sofia Papagiannaki | Token expiration can be set by changing the ``OAUTH2_TOKEN_EXPIRES`` setting. |
222 | 9f541b00 | Sofia Papagiannaki | By default it is set to 20 seconds. |
223 | 9f541b00 | Sofia Papagiannaki | |
224 | 9f541b00 | Sofia Papagiannaki | Tokens granted to a user are deleted after user logout or authentication token |
225 | 9f541b00 | Sofia Papagiannaki | renewal. |
226 | 9f541b00 | Sofia Papagiannaki | |
227 | 9f541b00 | Sofia Papagiannaki | Expired tokens presented to the validation endpoint are also deleted. |
228 | 9f541b00 | Sofia Papagiannaki | |
229 | 9f541b00 | Sofia Papagiannaki | Authorization code and access token length |
230 | 999bf7b6 | Sofia Papagiannaki | ------------------------------------------ |
231 | 9f541b00 | Sofia Papagiannaki | |
232 | 5547485e | Sofia Papagiannaki | Authorization code length is adjustable by the |
233 | d8e8581b | Constantinos Venetsanopoulos | ``OAUTH2_AUTHORIZATION_CODE_LENGTH`` setting. By default it is set to 60 |
234 | d8e8581b | Constantinos Venetsanopoulos | characters. |
235 | 9f541b00 | Sofia Papagiannaki | |
236 | d8e8581b | Constantinos Venetsanopoulos | Token length is adjustable by the ``OAUTH2_TOKEN_LENGTH`` setting. By default |
237 | d8e8581b | Constantinos Venetsanopoulos | it is set to 30 characters. |
238 | 9f541b00 | Sofia Papagiannaki | |
239 | 9f541b00 | Sofia Papagiannaki | Restrict file serving endpoints to a specific host |
240 | 999bf7b6 | Sofia Papagiannaki | -------------------------------------------------- |
241 | 9f541b00 | Sofia Papagiannaki | |
242 | d8e8581b | Constantinos Venetsanopoulos | A new setting ``PITHOS_UNSAFE_DOMAIN`` has been introduced. When set, all API |
243 | d8e8581b | Constantinos Venetsanopoulos | views that serve Pithos file contents will be restricted to be served only |
244 | d8e8581b | Constantinos Venetsanopoulos | under the domain specified in the setting value. |
245 | 9f541b00 | Sofia Papagiannaki | |
246 | d8e8581b | Constantinos Venetsanopoulos | If an invalid host is identified and request HTTP method is one of ``GET``, |
247 | d8e8581b | Constantinos Venetsanopoulos | ``HOST``, the server will redirect using a clone of the request with host |
248 | d8e8581b | Constantinos Venetsanopoulos | replaced to the one the restriction applies to. |