An OAuth2 authorization server for communicating with etsy.com implemented in MirageOS. Etsy's authentication flow may be similar enough to other OAuth2 resource servers to make this server useful for them as well.
TLS is provided via Let's Encrypt. Credentials are stored in a separate Chamelon data store and automatically renewed when required.
Most systems using OAuth2 in this way have some sort of local authentication which is then connected to a remote system's authentication information as a form of identity federation. This server has no notion of local identity and merely serves as an intermediary for access to the resource server. Authentication requests to Etsy are differentiated by 128-bit random numbers, which are generated by the authorization server and presented to the client. Guessing the random number yields access to the tokens.
This server is a low-effort proof-of-concept implementation, and as such probably responds in unhelpful ways to lots of inputs.
There is currently no rate-limiting on requests, which might give the potential user some pause when combined with the first item in this list. Given an adequate entropy source and CSPRNG, states shouldn't be guessable. The more likely problem is the ease of resource exhaustion attacks, since storage is allocated for each new state and, in the default configuration, not removed for many days.
/auth: POSTuuid=16randombytes- server generates and stores a new
stateand accompanying PKCE verifier - server redirects the client to Etsy's
oauth/connectendpoint withstate,code_challenge, etc
- server generates and stores a new
/etsy: GET?code=etsycode&state=somestate- server retrieves the PKCE verifier for
somestate - server stores
etsycodeforsomestate - server initiates a token request to Etsy with
etsycodeand the PKCE verifier forsomestate - server stores the
access_tokenandrefresh_tokenforetsycodeandsomestate
- server retrieves the PKCE verifier for
/token: POSTstate=somestate- server retrieves
access_tokenforsomestate - if
access_tokenis too old, server gets a new one withrefresh_token - if
access_tokenis still valid, server gives it to client
- server retrieves
- quicker garbage collection of
states that never receive a valid code - rate limiting
- a nice service on port 80 that redirects you to the TLS server
- user-friendly HTTP bodies for browser rendering
- useful errors in responses for bad state
- any kind of storage optimization
- an Etsy developer key
- a publicly-registered FQDN corresponding to a public IP where you can run a unikernel
- a registered callback URI for your application corresponding to the above FQDN with the /etsy endpoint
- two block devices formatted for Chamelon data storage
- a small one for credentials (mine is 16K) with your developer key saved at
/keystring - a larger one for state, code, token, etc. storage
- a small one for credentials (mine is 16K) with your developer key saved at
Several targets are provided for convenience in the included justfile. Users will want to make substitutions in the initial variable definitions, particularly fqdn, as appropriate.
If you want a release of this under a different license, feel free to contact the e-mail address in the commit messages associated with yomimono to arrange something.