-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-Implement the Drupal Filter using JWT #520
Comments
Just to be clear here, @dannylamb, you mean a |
Yes. Sorry, referring to a generic product with a name brand there. Tomcat's our default, but it should work with any container. |
I'll take a crack at this one. May take me a bit of time though. |
@ajs6f My understanding here is that authn comes from the web server and Fedora doesn't really have to get involved. Are there potentially any configuration bits on fcrepo I might be missing / not aware of? |
@dannylamb Definitely way the heck outside of any sphere of Fedora's control or interest. AuthZ, different story, but authN, not Fedora's business. |
Generally, there may or may not be an immediately proximate web server, but anyway, authN comes from upstream. |
@jonathangreen if you need a hand, please don't hesitate to ask. |
Don't worry, if anything I will ask too many questions :) |
So here is my understanding of this ticket, just going to write it out to get everyones feedback. We will be using JSON Web Tokens (JWT) for authentication between Islandora, Fedora and the associated micro services. Drupal will be the source of the JWTs. When Drupal emits events events to its queue, it will pass along tokens with them, that can later be used for authorization in various services. Tokens will also be able to be obtained through a REST endpoint. All services will use HTTPS for communication so as not to expose the tokens. The JSON Web Tokens will be provided in Drupal by the JWT module: The JWT claim will contain:
header: {
"alg": "RS256",
"typ": "JWT",
"iss": "site identifier"
} claim: {
"exp": "1234567890",
"name": "John Doe",
"roles": ["1", "2", "3"],
"iss": "site identifier"
} The JWT header will contain a copy of the site identifier, so that any filter wanting to validate the JWT will know which site it came from in the case where there are multiple Drupal sites communicating with the same services. We will use the JWS (https://tools.ietf.org/html/rfc7515) algorithm secured with a digital signature to create the tokens. This means that anything wanting to verify the token will only need the public key of the site that issued the token in order to verify its claims. Fedora will have a servlet filter that will accept the JWT and use this to authenticate the request. The Fedora servlet filter will have a configuration that takes site identifiers and the associated public key which it will use to verify the claims in the token. Seem reasonable? |
My comment is just from the Fedora POV: that seems quite reasonable. (Y'all know that the first question is going to be "But does it work with my utterly obscure obsolete institutionally-mandated SSO system?!") |
"Yes as long as your utterly obscure obsolete institutionally-mandated SSO works with JWTs" |
We can push that off to Drupal. "Yes as long as your utterly obscure obsolete institutionally-mandated SSO works with Drupal." |
So I was doing some reading on this and now I have a question. I can see how this works when syncing from Fedora to Drupal.
But how do we plan to use this for Drupal -> Fedora requests? Am I wrong in assuming that Fedora would have to provide a token that Drupal would use with its request and then Fedora would have to validate that token before processing the request. Is this a place for API-X to come to the rescue or perhaps I skipped a basic point? |
So the thing with JWT is they cryptographically sign the JWT. So the flow of information goes something like this:
That lets us pass tokens from drupal -> fedora without having to do database lookups to verify usernames or passwords like we did in D7. This all assumes that the connections take place over SSL, which in the end will be another part of this request, to ensure that all the inter-service connections happen over SSL. The pull request to Islandora is just the first in a series of pull requests that will come out of this issue. I still need to work on:
|
Also on this topic |
@jonathangreen @whikloj ok! Should we have a quick discussion/planning meeting about this for the drupal ->fedora part?. Mostly because I don't see how things like WebAC fit in that user-less schema. |
@DiegoPino the schema isn't userless. The user, and their roles get passed to Fedora in the JWT. After the JWT is validated then Fedora will have all the information in the JWT to use: {
"exp": "1234567890",
"iss": "1234567890",
"drupal": {
"uid": "1",
"name": "username",
"roles": ["rolea", "roleb", "rolec"],
"url": "https://mysite.com"
}
} If we want to have a planning discussion about this, maybe we could add it to the agenda for the CLAW call this week. I'd like to have @dannylamb in on the call, since he created this ticket. |
@jonathangreen ok! again, cool. I like planning and stuff but it is not required if you all feel you know your way. What I like most is understanding stuff! (so thanks for that clarification). |
Okay so let me know if I missed something (or everything) here At the end of the Drupal -> Camel -> Fedora chain.
I'm guessing that for step 4 we could make use of a new public or private claim like "validationURL", like |
@whikloj there is no call back to Drupal from the Fedora side.
|
@jonathangreen thanks, I think my understanding of the public/private key verifying was...missing something. |
So final puzzle piece is here: That repo implements a valve that can be used in tomcat so fedora4 will accept islandora's JWTs. |
I think whenever someone is ready to pull the trigger, these pull requests are good to go in now from my perspective. |
Partially resolved with: afcd377 |
Partially resolved with: Islandora/Alpaca@5cd05d8 |
Third and final commit: islandora-deprecated/claw_vagrant@0d633be |
Add https://www.drupal.org/project/jwt to the install and be sure to enable the optional module to make it a credentials provider. If any configuration is required to get it going we'll need to export that as well.
Then we need to develop a ServletFilter for tomcat that will verify the tokens, which we should provide upon every write request. This seems like a good starting point: http://stackoverflow.com/questions/30335106/can-tomcat-work-with-jwt-token. Though I'm sure there will be some extra tomcat setup and general fun doing a java project setup.
To verify this issue is resolved, once properly configured:
http://localhost:8000/jwt/token
and you should be able to receive a tokenThe text was updated successfully, but these errors were encountered: