JWT authentication for rest-api #181
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+ generate JWT AES256 signing key fro user's department key
OEAP rejects using private key to encypt/public key to decrypt
|
SonarCloud Quality Gate failed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JWT authentication introduces a dedicated "/tools/login" endpoint to authenticate a user with credentials provided via http "basic authentication" header. it will return a secure token ("JWT") string, that can be passed to subsequent rest-api requests via the "bearer authentication" header. The token authenticity is verifyied using the groupkey of the user's department, so no new keys had to be introduced (generated).
since the phoenix database stores subject PII data encrypted with PBE (password-based encryption) with the department group key, every service method requires to provide the user credentials (to encrypt/decrypt the group key and then the subject PII). for JWT authentication this means veryfying a JWT validity is not enough, the JWT token also has to carry the credentials in order to run servicemethods.
This is achieved by including the RSA-encrypted password to the JWT token payload. In phoenix every user already owns an internal RSA keypair (for signing eCRFs), which is re-used here. The private key is used to encrypt the password, while the public key is used to decrpyt. The security holds as long an attacker does not hold both public key and a captured JWT in his hands, therefore http ("bearer") header containing the JWT string should not be recorded in the http server logs.
it's up to the rest-api consumer ther to include a "validity_secs" query parameter when creating the JWT. Eg. "/tools/login?validity_secs=300" will render a token that is accepted up to 5 minutues only, until it has to be renewed.