Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service auth method binding (lxm) #2663

Merged
merged 50 commits into from
Aug 18, 2024
Merged

Service auth method binding (lxm) #2663

merged 50 commits into from
Aug 18, 2024

Conversation

dholms
Copy link
Collaborator

@dholms dholms commented Jul 25, 2024
edited
Loading

This iterates on our current service auth tokens by adding an additional claim (lxm or "lexicon method") to the JWT payload which "binds" a token to a given request. This is not intended as an endstate for authorization semantics, but rather an incremental improvement over the current situation that is forward-compatible with a couple possible plans for a more expressive authorization system.

This also introduces a random 128 bit (hex-encoded) nonce onto each signed token. As these tokens are intended to be single use, this allows a service to optionally implement reuse prevention

An example service auth token may look like:

{
  iss: "did:example:user",
  aud: "did:example:service",
  lxm: "com.atproto.repo.createRecord"
  nonce: "2ec15719a8ba82868f2506162541582f9462f3fdddb0ae4cee150e3031d01e97"
}

These tokens are backwards-compatible with existing services that do not do method checks. A service auth token with no lxm claim may still be used for simple authentication, but should not be used for any sensitive behavior or to perform actions on behalf of the user.

Alongside this, we also update com.atproto.server.getServiceAuth to take lxm as a parameter, as well as an optional exp time. This allows us to lower the access requirement for getServiceAuth such that app passwords are able to use the route. We perform an additional check within getServiceAuth to determine if the requester has the proper access level to receive a service auth token for the requested method. App passwords will not be able to request access to privileged methods such as DM-related methods.

This also enables uploadBlob to be called using a service auth token on behalf of a user. Only this user-facing route accepts service auth tokens for now but this can serve as a pattern for future routes.

Rollout plan:

  • Deploy our PDSs & publish the PDS distribution with updated service auth creation code such that all generated service auth tokens include the relevant scope(s) (Service auth method binding - PDS #2668)
    • In this deploy we should continue requiring a "privileged" access token (ie not app password) in order to create any service auth (since Chat & Ozone are not deployed yet)
  • Wait a few days to ensure PDSs update
  • Deploy sensitive services including Ozone & Chat.
  • Deploy an update to the PDS that allows app passwords to create service auth tokens
  • Deploy less sensitive services such as Bsky Appview

@dholms dholms marked this pull request as ready for review July 26, 2024 21:24
@dholms dholms mentioned this pull request Jul 29, 2024
Merged
@dholms dholms changed the base branch from main to service-auth-scopes-pds July 29, 2024 23:03
Base automatically changed from service-auth-scopes-pds to main August 5, 2024 20:09
@dholms dholms mentioned this pull request Aug 5, 2024
Merged
@devinivy devinivy merged commit 50c0ec1 into main Aug 18, 2024
13 checks passed
@devinivy devinivy deleted the service-auth-scopes branch August 18, 2024 19:46
@github-actions github-actions bot mentioned this pull request Aug 18, 2024
Merged
estrattonbailey added a commit that referenced this pull request Aug 19, 2024
@estrattonbailey
Merge remote-tracking branch 'origin/main' into reply-grandparent
fc0b00d 
* origin/main:
  Fix calls from pds containing content-type but no body (#2725)
  Version packages (#2712)
  Service auth method binding (lxm) (#2663)
  Fix getActorLikes documentation to reflect auth required (#2593)
estrattonbailey added a commit that referenced this pull request Aug 19, 2024
@estrattonbailey
Merge remote-tracking branch 'origin/main' into reply-qp-moderation
2d661f7 
* origin/main:
  Fix calls from pds containing content-type but no body (#2725)
  Version packages (#2712)
  Service auth method binding (lxm) (#2663)
  Fix getActorLikes documentation to reflect auth required (#2593)
  exact matches always show profile regardless of block status (#2653)
estrattonbailey added a commit that referenced this pull request Aug 19, 2024
@estrattonbailey
Merge remote-tracking branch 'origin/main' into hailey/quote-view
ded9f36 
* origin/main:
  Fix calls from pds containing content-type but no body (#2725)
  Version packages (#2712)
  Service auth method binding (lxm) (#2663)
  Fix getActorLikes documentation to reflect auth required (#2593)
  exact matches always show profile regardless of block status (#2653)
@devinivy devinivy mentioned this pull request Aug 21, 2024
Closed
burningtree added a commit to burningtree/atproto-pds that referenced this pull request Sep 13, 2024
@burningtree
Update migration instructions due to lxm bluesky-social/atproto#2663
a320bd7
This was referenced Sep 13, 2024
Closed
Merged
devinivy pushed a commit to bluesky-social/pds that referenced this pull request Sep 13, 2024
@burningtree
Update migration instructions due to lxm bluesky-social/atproto#2663 (#…
44a80c7 
…88)
@afternooncurry afternooncurry mentioned this pull request Sep 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devinivy devinivy devinivy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dholms @devinivy