New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about Authorize() detail #140
Comments
While we purposely have not defined how a token should look like because we wanted to give implementers the freedom on how the want to implement security, we have made a suggestion as to what the token should contain: Path: The signal path (defined here) the token authorizes. The path may be a branch name or contain wildcards to authorize entire branches. So, if either the path and/or actions are missing then the server should reject the token as being invalid. I think the VISS should not be required to remember any tokens. But of course, you are free to implement it as you see best fit and security for your application. |
Hi @rstreif Thanks for the suggestion!
I understand and this is OK to me.
In my understanding, these are kind of additional information and there should be
Existence check of 'path, actions, valid_from, valid_to' is just a data format validation In case of OAuth2.0, I can get OAuth2.0's My question was, when user_A have valid token, VIS server should always accept If VIS server always accept the request, then executing In latter case, VIS server should know user_A's accessibility information such as
Having such database for all users inside VIS server is not practical and I don't want to do this. Anyway, I understand these thing are implementer's freedom and I can decide as I like. If there is no more comment, I close this issue. |
@aShinjiroUrata, now I understand better what you mean. My thinking here is not that the VISS authorization token embeds a core authorization token (token_core) such as OAuth2, JWT, etc. In this case it would be difficult avoid stripping the VISS authorizations from the core token (unless you add signature and/or encryption). My thinking is that the VISS authorization token is essentially an OAuth2, JWT, etc. token that in addition to its typical fields would also include the VISS-specific fields. |
Hi Rudi-san,
I understand you mean, it would be difficult to protect core token from stripping for security purpose.
I understand this is more secure. If so, in OAuth2.0 case, in my understanding OAuth2.0's Anyway, detail of security token is implementor's freedom and it is OK. |
Urata-san,
Yes, a) would only allow you to read the door lock status and that can be done per door or by wildcarding the tree according to VSS. b) would also allow to lock and unlock the door and subscribe to the door lock status.
Yes, I have to admit that I do not know much about OAuth2 tokens. They may not even work for our application. We would want to support tokens that can authorize different things with the same token. For RVI we are using JWT, which are very suitable for this application. |
Hi Rudi-san,
If there's no more comments, I'll close this issue. |
Hi, My personal preference would be to keep the specification simple in this area and just use tokens to identity entities (user, vehicle devices, apps etc) The idea was that 'out of band' a Security Authority would issue the token e.g. for the user (after user had authenticated using some credentials) or for the vehicle device (e.g. based on vehicle/device proving knowledge of a private key) . So tokens just validate the identity of entities. The user and/or vehicle device tokens would be passed to the WebSocket server via the Authorize (which might more properly be called 'Authenticate' method) and on receipt of the token, the server verifies that the tokens are valid by checking with the Security Authority that issued it. The Server implementation is then free to grant or deny access to data (i.e. manage access control) as it sees fit. It could be that behind the scenes and outside of the scope of the specification, it may be that the server implements a set of roles for users and access to data is dependent on whether the user is a member of a particular role. For example, if the user associated with the token is a member of the 'OEMTester' role they are allowed to get/set/subscribe to ANY data, in order to support to support Quality Assurance testing. My personal view is the spec should not try to define roles and precise access control rules, just provide a mechanism to identify entities using tokens. Personally, I wasn't expecting that the Security Authority would be Twitter but the OEMs Security Authority in the Cloud or in the vehicle (for system to work when no connectivity). Though to be explicit, I'm not saying that an OEM's implementation should not be allowed to accept a twitter OAuth token if that is how they have implemented their access control model. So they should be allowed to do this if they want or to accept e.g. Facebook or Google access tokens. More often though, I would expect the token to represent the user identity for the OEM and the OEM to have linked that user account with the user's Twitter, Spotify etc accounts. The approach is quite general in that it allows any sort of security token that a Security Authority can grant (that can be passed via a JSON Authorize action fragment). Our preference would be to keep access control separate from authentication and to just use the tokens to identify entities, and leave the implementer to be free to decide how to control access given they know the identity of the user and/or device (and or e.g. App) making the request. It is good to discuss and keen that we get a good level of agreement on how we believe authentication and access control should be handled. |
Hi Kevin-san, Thank you very much for sharing the idea!
I understand that using tokens for user/device/app identity only or using
I agree. The spec should be kept simple and the role discussion should be implementer's freedom.
I understand. I was just trying to find a quick way to use OAuth with prototype implementation.
I like this idea since it is simple and easier to implement. Thanks. |
AR: Reword the paragraph "While this specification does not mandate the token format and structure it shall at least contain the following elements to provide meaningful authorization:" to "While this specification does not mandate the token format and structure it is recommended that tokens least contain the following elements to provide meaningful authorization:" |
As discussed, we will keep the VISS simple in this respect, and open to implementations. #192 simplifies the authorise section. |
Hi,
Currently, I'm thinking about how to implement authorize() method and have some questsions.
One of the questions is below.
When authorize() is executed with a token( user token and/or device token ), I suppose VISS server will validate the token.
At this point,
a) VISS server always grant the access to the request with valide token?
Or,
b) VISS server may reject the access request even if the token is valid?
If a) is the case, token's validity is only important thing and if token is valid,
the user will be able to access any data point.
This is very simple but I suppose this is not Kevin-san's intention.
If b) is the case, VISS server should have some database in which token's access right is defined such as "tokenA can access VehicleSpeed, engine RPM", "tokenB can access door lock status", etc.
If every users have different token, VISS server has to have a large database for this purpose and I feel not efficient nor realistic way.
I think this is implementation detail matter and I don't think this kind of detail should be written in the spec.
I'd like to know if Kevin-san and Adam-san's have original idea about this point.
The text was updated successfully, but these errors were encountered: