Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core-api): role based access control through oauth2 scopes #770

Closed
petermetz opened this issue Apr 6, 2021 · 0 comments · Fixed by #793
Closed

feat(core-api): role based access control through oauth2 scopes #770

petermetz opened this issue Apr 6, 2021 · 0 comments · Fixed by #793
Assignees
@petermetz
Labels
API_Server Core_API Changes related to the Core API Package enhancement New feature or request

Comments

@petermetz
Copy link
Member

Is your feature request related to a problem? Please describe.

I want to be able to configure the API server with an arbitrary OAuth2 identity provider so that it's easy to plug Cactus plugins into existing infrastructure and at the same time Cactus itself does not have to be burdened (for now at least) with providing a full implementation of an identity provider itself.

Describe the solution you'd like

  1. API server can be configured with OAuth2 provider parameters such as this example [1] as seen at the official docs of the passport js oauth 2 strategy documentation: https://github.com/jaredhanson/passport-oauth2
  2. OAuth2 scopes work as well (and are checked for so that effective RBAC is implemented)
  3. The web service plugin interface is updated with functions to allow for finer control, for example the plugin instances should be able to specify themselves what scopes they need and also if they wish to be secure endpoints or not (e.g. can anonymous users hit it or not)

[1]

{
    authorizationURL: 'https://www.example.com/oauth2/authorize',
    tokenURL: 'https://www.example.com/oauth2/token',
    clientID: EXAMPLE_CLIENT_ID,
    clientSecret: EXAMPLE_CLIENT_SECRET,
    callbackURL: "http://localhost:3000/auth/example/callback"
  },
  function(accessToken, refreshToken, profile, cb) {
    User.findOrCreate({ exampleId: profile.id }, function (err, user) {
      return cb(err, user);
    });
  }

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context

This came up during the work on #540 and is also heavily related to all the other identity related tasks that we have defined so far. The idea here is to do the absolute bare minimum that we need for a release candidate that we can honestly stand behind and say it is ready for production.

#546
#144

cc: @takeutak @sfuji822 @hartm @jonathan-m-hamilton @AzaharaC @jordigiam @kikoncuo @jagpreetsinghsasan
@petermetz petermetz added API_Server Core_API Changes related to the Core API Package enhancement New feature or request labels Apr 6, 2021
@petermetz petermetz self-assigned this Apr 6, 2021
petermetz added a commit to petermetz/cacti that referenced this issue Apr 6, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
3e9bcfd 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 6, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
98dc57e 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 7, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
0679cb0 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 7, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
38f61d8 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 7, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
162a5de 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 7, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
d3e33c8 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 9, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
7c3a46f 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 10, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
1954222 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 10, 2021
@petermetz
feat(core-api): role based access control through oauth2 scopes hyper…
afb0b78 
…ledger#770

WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 12, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
e29df19 
WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 13, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
a5698f2 
WORK IN PROGRESS

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 13, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
ef30cb2 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 14, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
b223f25 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Apr 14, 2021
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Apr 17, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
f31b404 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 18, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
241008d 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 19, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
891201e 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 21, 2021
@petermetz
feat(core-api): jwt authorization hyperledger#770
61851de 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes hyperledger#770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Apr 21, 2021
@petermetz
feat(core-api): jwt authorization #770
2016750 
Primary change(s):
------------------

1. Verification of JSON web tokens for all endpoints by default.
2. The ability for endpoints to control on top of JWT valdity
the requirement of the JWT payload containing a certain scope

Miscellaneous change(s):
------------------------

1. Refactor of all the endpoints and plugins to make this change
technically possible.

Fixes #770

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
API_Server Core_API Changes related to the Core API Package enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(core-api): jwt authorization #770 petermetz/cacti
1 participant
@petermetz