Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token based (OIDC + JWT?) based authentication #87

Closed
joepio opened this issue Jan 13, 2022 · 1 comment
Closed

Token based (OIDC + JWT?) based authentication #87

joepio opened this issue Jan 13, 2022 · 1 comment

Comments

@joepio
Copy link
Member

joepio commented Jan 13, 2022
edited

I designed a custom authentication protocol for Atomic Data. It's a simple system, and it gives people a great amount of control over their online identities, but it has limitations:

  • It's a custom system. Developers will need to deal with this, and they don't like to spend time on a problem that has already been solved with tools that they are familiar with.
  • Signing and verifying things takes time. It's not much (100.000 signatures per second), but it is something.
  • Signing things is more complicated than storing a single token. Although signing is far more secure, of course, some may want to simply pass a static token in an HTTP header - it is easier to use. This is relevant in many contexts, such as CI, CLI apps (e.g. curl) and more.

So how should tokens work? Let's consider a few approaches:

OpenID Connect, OAuth, JWT

The standard stack for authentication, used everywhere.

  • Doesn't give the user the same amount of control over their identity as Atomic Auth does.

Just JWT + /getToken Endpoint

  1. User sends an authenticated HTTP request to /getToken.
  2. Server responds with a token, which is valid for some time (maybe later add an optional expiration query param). This token should probably be a JWT.
  3. This token can then be sent using an HTTP header like so:Authorization: Bearer eyJhbGciOiJIUzI1NiIXVCJ9TJV...r7E20RMHrHDcEfxjoYZgeFONFh7HgQ
  • Provides a decent GUI to create new tokens, without too much work.
  • Uses Atomc Endpoints, which is the way to go
  • Still not compatible with OAuth / OIDC

Client-side signed tokens

  • Client signs an Authentication, similar to how websocket auth currently works in Atomic Data.
  • This signed Authentication should also include an expiration date and a server, not a subject
  • We can set the Authentication as a cookie and include it in all following requests

Considerations:

  • Signature has to be set only once per session / day, instead of for every single request. Since signing something could take up to a few milliseconds on slower devices, that could make the app more performant.
  • We could pass the token in all requests using a cookie, which means we can use this authentication mechanism also for downloading images (we can't manually set headers when browsers automatically fetch images)
  • Since we only sign once per session, the client only needs access to the private key once! This Means we can probably use the web.crytpo library to sign the cookie.
@joepio joepio mentioned this issue Oct 5, 2022
Merged
joepio added a commit that referenced this issue Oct 14, 2022
@joepio
Add cookie name #87
f708cfc
@joepio
Copy link
Member Author

joepio commented Oct 25, 2022
edited

We now allow client-signed tokens in cookies, which solves the most important part of the problem: only signing one thing every few moments.

@joepio joepio closed this as completed Oct 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joepio