bearer token proposal

[jmrodri]

Add bearer token auth to the service broker.

[jwmatthews]

Looks good to me.
I think going with the approach of FileTokenService to start makes sense.

ACK

[shawn-hurley]

👍

[rthallisey]

Will there be any developer impact? Will bearer tokens be the default?

[jmrodri]

I'll update the proposal to answer your question, but both basic and bearer will be enabled in catasb but for make run all auth is currently disabled.

[rthallisey]

We have two different ways to authenticate. Are these two independent code paths? In other words can you enable basic auth and use a bearer token?

Can you expand this question into an implementation section. A section## Broker Behavior is a good place to answer this question in detail.

[jmrodri]

@rthallisey yep, I can expand on it. You can have all the auths enabled if you want. Basically, the middleware handler will pick the first one that accepts the right authentication header. So if you have basic auth and bearer token enabled. And send in a Bearer token header, the basic auth provider will ignore it since there is no basic auth header. The bearer token provider will pick it up. If we had an SSL auth provider as well, it will have gotten skipped because the bearer token provider already processed the authentication.

[rthallisey]

This seems like an expansion of existing auth. Does this belong here?

I'm trying to understand what's included as an AuthProvider. Is the existing auth an AuthProvider? Then I think the problem you're talking about here is the broker trying to figure out if a service backend is associated with either basic auth or a bearer token? Do I have that right?

[jmrodri]

@rthallisey Yes, BasicAuth is an AuthProvider. And AuthProvider can be associated with some backend service adapter. Today BasicAuth is configured to use FileUserServiceAdapter. But conceivably I'd like to configure BasicAuth to use a database of users instead something called DBUserService. I'm not sure how to represent that in our configuration.

func createProvider(providerType string, log *logging.Logger) (Provider, error) {
	switch strings.ToLower(providerType) {
	case "basic":
		log.Info("Configured for basic auth")
		usa, err := GetUserServiceAdapter(log)
		if err != nil {
			return nil, err
		}
		return NewBasicAuth(usa, log), nil
	// add case "oauth":
	default:
		panic("Unknown auth provider")
	}
}

// GetUserServiceAdapter returns the configured UserServiceAdapter
func GetUserServiceAdapter(log *logging.Logger) (UserServiceAdapter, error) {
	// TODO: really need to figure out a better way to define what
	// should be returned.
	return NewFileUserServiceAdapter("/var/run/asb-auth", log)
}

I could extend the configuration to also include a key for the service backend to use:

  auth:
    - type: basic
      backend: file
      enabled: false
    - type: basic
      backend: db
      enabled: true

Or if we want to support multiple basic auths something like this:

  auth:
    - type: basicfile
      enabled: true
    - type: basicdb
      enabled: true

each would be distinct keys in the list of supported values.

[jmrodri]

@rthallisey I updated the docs to clarify the questions section, and I tried to answer your question about AuthProvider.

[rthallisey]

lgtm

[rthallisey]

Do we have a solution for this?

[jmrodri]

@rthallisey not yet, right now basicauth is tied to FileUserService and bearer auth would be tied to FileTokenService. Just need to decide how we want this in the config file.