-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication and Authorization extension points #1035
Comments
I find the scope of this epic rather overwhelming and would not know where to start. I am proposing to define scenarios based on our Shopping example app and split the big auth+auth story into smaller incremental chunks that are more manageable. Here is my take on the scenarios.
@raymondfeng @strongloop/loopback-next thoughts? Refactoring: Customer credentials #1996Let's keep things simple for now and use a password as the only credential. (No 2-factor-auth, no OAuth/OpenID/SAML for now.) In LoopBack 3.x, we are storing storing user's password together with user data in the same model (table), which opens a lot of security vulnerabilities to deal with. For example:
For LB4, I would like us to explore the design where passwords are stored in their own table and a relation "user has one password" is configured (#1422 is tracking HasOne relation). We can also use "user has many password" and include a flag (a Password model property) to distinguish between the current active password and the passwords used in the past. The current version of the Shopping Server is already storing the password in the Groundwork: Access tokens, login & logout #1997Define a new Implement login and logout, expose them via REST API. Let's create a new Controller class for these endpoints! The goal of this step is to show a reference implementation in our Shopping App and prepare ground for the actual auth-related work in the next iterations. Later, we may decide to extract AccessToken & Password models together with the relevant repositories and Controller classes into a shareable LB4 component (e.g. The First Scenario: Authenticated orders (a minimal authentication) #1998Rework For example, we can remove
Existing REST API exposed by The goal of this story is to leverage The Second Iteration: Cancelling orders (a minimal scope-based authorization) #1999Let's add a new Let's define two kinds of users in our Shopping app:
As part of this iteration, we need to figure out how to implement scopes, how to decorate controller methods like Next: Extension Points #2000Armed with a small application having authentication and authorization constraints in place, let's look at extensibility and what extension points we may need to define to support those use cases. Few example scenarios to drive our focus:
Ideally, for each scenario we look into, there should be a documentation and/or a blog-post and/or a reference implementation to make it easier for LB4 users to implement similar functionality in their project. |
After discussing with @bajtos and @raymondfeng, we're going to implement our own dummy authentication provider for the purpose of this epic. What changes needed in our shopping app example
|
Just jumping on as a desired feature! Yes, I know about 'subscribe' (and did so) but wanted to bump the thread :) == John == |
Please use "thumbs up" vote a the top (in the issue description) in the future. That way we can sort issues by the number of upvotes. |
There had been a few discussions around this epic among @raymondfeng @bajtos @jannyHou @emonddr. Hopefully I can capture the summary here. Please correct me if I'm wrong or miss anything! What we've done (a very high level)We've added the PoC to show how to add JWT authentication in the example-shopping app. What's outstanding in the shopping app (post Q1)
Next stepsThe next steps are to:
Note: Step 1a-d can happen in parallel. |
@dhmlau Thank you for the summary. @raymondfeng Regarding the authentication strategy part in the picture above(4,6,C), the shopping example app has C in the authentication strategy class, see 'JWTStrategy', while has 4 and 6 as services, see JWTAuthenticationService. By extracting them into interfaces, do we want to still keep 6 and 4 as services or merging them into the strategy class? |
We make a decision based on whether such functions represent the related resonsibity of a strategy. If yes, it make sense to define an interface to group these methods and have classes to implement them. Please note that a class can use DI to conpose with other services and offer a facade. |
For Q2, the planned MVP would be:
|
An update:
|
I am proposing to include the following story in our Q2 plan: #1334 |
Discussing with @raymondfeng @bajtos, it would be better to separate the authentication and authorization epics. I'll be creating the 2 epics and will eventually close this one. Please continue the discussion in the separated epics in the future. Thanks. |
Closing as done. |
Per discussion with @raymondfeng @kjdelisle:
Need extension point implementation and extension interfaces for authentication and authorization
make sure we have the infrastructure for users to build extensions
if we have solid reference implementation for Passport strategy, it is not a must to provide other reference implementation for GA
Extension: Authentication
Extension: Authorization
User Experience
For a given controller method, we should be able to use decorators to express the authorization requirement. e.g. we allow / deny certain roles.
need to have the ability to decorate the methods to indicate the scope of the resource access. i.e. group the methods for access. e.g. write access for Order.
example: when cancelling order, only the customer and customer rep can cancel.
can possibly use json / yaml files to define the access rules, besides using decorators.
Need infrastructure to help us to make the yes/no decision - decision could be no-go, consult external provider (e.g. enterprise might have a centralized authorization management system). This can be expressed in extension points to plug in other authorization providers.
from admin perspective, we need a way to specify the role mapping. i.e. which user belongs to which role. -- 1) static mapping table. 2) some role has to be dynamically determined per request, e.g. cancelling order. need to figure out for the given orderid, it matches with the customerid to place the order.
authorization has the dependencies on authentication, because we need to know who is making the call. Two pieces of identity 1) the user itself, 2) application id making the request <--- think FB app.
also look at what we have in LB3 for functional parity
we also allow developers to write code to override our authorization decisions (added business logics in the controller)
Questions to answer
Timeboxed max to 2 weeks
The text was updated successfully, but these errors were encountered: