Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add JWT-based Auth option for API requests #900

Merged
merged 8 commits into from
Sep 5, 2024
Merged

Add JWT-based Auth option for API requests #900

merged 8 commits into from
Sep 5, 2024

Conversation

p-kaczynski
Copy link
Contributor

I tried to balance the non-invasive, limited change with doing it at least semi-properly.

I think it should be fine, I ran it locally and it behaved as expected.

Note: this by default will be disabled, config needs to be provided for it to work:

  "DLCS": {
    ...,
    "JwtKey": "iy/umankHwi8fWcUOv0skf4b3vmWip9VhTWxneHokwI=",
    "JwtValidIssuers": [
      "urn:caspian:site:default"
    ]
  }

don't worry, this key is made up for this PR note only

of course key can be any Base64 encoded data, e.g.:

var key = new byte[32];
var rng = System.Security.Cryptography.RandomNumberGenerator.Create();
rng.GetBytes(key);

Convert.ToBase64String(key); // returns the value for config

I opted NOT to include default because it'd surely end up being the actual key in prod deployments at some point down the line ;)

The DLCS:JwtValidIssuers:# should be urn:caspian:site:default, which is the default value used by Portal, though the final term (here default) can be whatever, configurable per env (so even if key reuse happens we still can limit (or allow) cross-env calls.

This will split off the existing path into its own method, do JWT things and if it's indeed a DLCS Customer Id claim, correctly signed, will load the customer from repo by that id and use the first key from the list for this customer, before returning to the usual flow.

I split the code into respective flows, but I really didn't want to throw exceptions for flow control in sth that's ran on every request, exposed to the world, as it can create spurious overheads. So to keep it hopefully light it just returns a wrapped string (FailedCaller) in case of auth failure, which gets turned into AuthenticationResult.

The code could be nicer I'm sure, but I'd prob have to refactor much, much more, and I really, really don't want to break stuff, so make your judgement ;)

@p-kaczynski p-kaczynski requested a review from a team as a code owner September 2, 2024 16:25
donaldgray
donaldgray requested changes Sep 4, 2024
View reviewed changes
Copy link
Member

@donaldgray donaldgray left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the c#12 stuff (primary constructor and object-initializer) will need to be old-skooled until we update the docker images.

src/protagonist/API/Auth/DlcsBasicAuthenticationHandler.cs Outdated Show resolved Hide resolved
src/protagonist/API/Auth/DlcsBasicAuthenticationHandler.cs Outdated Show resolved Hide resolved
@donaldgray donaldgray self-requested a review September 4, 2024 15:16
@p-kaczynski p-kaczynski force-pushed the feature/ICS-31/jwt_customer_auth branch from 389de46 to 080bf9c Compare September 5, 2024 10:13
@p-kaczynski p-kaczynski merged commit 5397f96 into main Sep 5, 2024
8 of 9 checks passed
@p-kaczynski p-kaczynski deleted the feature/ICS-31/jwt_customer_auth branch September 5, 2024 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donaldgray donaldgray donaldgray approved these changes

@tomcrane tomcrane Awaiting requested review from tomcrane tomcrane is a code owner automatically assigned from dlcs/dlcs-developers

@christinemacdonald christinemacdonald Awaiting requested review from christinemacdonald christinemacdonald is a code owner automatically assigned from dlcs/dlcs-developers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@p-kaczynski @donaldgray