Decompositioning, implement Fosite

[aeneasr]

This PR is a refactor and a partial re-code of Hydra. It will mark version 0.1-beta and will include

• Add Dockerfile for autobuild #60
• CLI refactor and initial account set up #59
• support for ldap for user storage #28
• Implement generic connectors #61
• Rename providers to connectors #38
• CLI refactor and initial account set up #59
• Granted Endpoint Proposal: Performant access decisions for resource providers using REST #48
• Adding basic LDAP package #57
• Migrate from mux to httprouter #14
• Implement OpenID Connect Dynamic Client Registration 1.0 #65 Implement OpenID Connect Dynamic Client Registration 1.0
• https
• key manager cli
• policy cli
• quickstart
• proof of concept rethink adapters with benchmarks
• rethink adapters
• rest api docs
• guide
• exemplary consent endpoint
• spec: /jwk/:set/:kid must return array  #74 spec: /jwk/:set/:kid must return array
• link exemplary policies in the docs #75 link exemplary policies in the docs
• client rest endpoint: rename name to client_name #72 client rest endpoint: rename name to client_name
• mention client_name and client_secret change in docs
• test if key updates work correctly in rethinkdb
• test and document rethinkdb with docker
• wait for creation of keys rethinkdb
• pkg.Retry
• encrypt JWK store
• ui should watch for changes
• wrap jwk watcher in retry

Tagline: "A micro-service OAuth2, OpenID Connect and policy decision point provider written in Go". Check also this milestone: https://github.com/ory-am/hydra/milestones/0.1-beta

[aeneasr]

@leetal keep an eye out for this one :)

[leetal]

@arekkas i sure will! :)
Den 22 mars 2016 16:15 skrev "Aeneas" notifications@github.com:

@leetal https://github.com/leetal keep an eye out for this one :)

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#62 (comment)

[aeneasr]

Repositories relevant for the refactor:

• https://github.com/ory-am/hydra-signup-react (exemplary sign up app in react)
• https://github.com/ory-am/hydra-singin-react (exemplary sign in & consent app in react)

[aeneasr]

The following chart is a very basic architecture overview.

CLI

The CLI hydra will replace the functionality that currently resides in hydra-host and talk through HTTP REST with hydra-host. The admin needs to log in using app credentials. If no app is registered in Hydra, a OTP (one time password) will be printed to stdout by hydra-host. The admin needs to use that OTP in order to create the first administrative client.

idp.hydra.abc.com

I decided to move the identity provider part away from Hydra's core. Instead, it will reside in a microservice. Anyone who wishes to use LDAP or an existing user database as an identity source can do that by implementing the required HTTP REST interfaces (not defined yet).

Identity provider(s) will be added using the CLI: hydra idp add http://...

connector.hydra.abc.com

The connector is responsible for delegating a user to Google, Microsoft and other third party authentication services and returning "user info" to hydra. Hydra will then use that user info to find a match at the identity provider and confirm that the user exists. The matching will be done internally in hydra (currently known as "oauth2 connection")

Connectors will be added using the CLI: hydra connector add http://....

Resource Provider Endpoint

The middleware and client library will be rewritten and offer two interface:

1. Check if a token is valid (checks token expiry, token revokation, scope)
2. Do what 1 does plus access control through policies

[aeneasr]

The reworkings of connectors and identity providers let us additionally paralelize lookups with high efficiency. Cash. :)

[aeneasr]

god, this looks so much cleaner already..

[aeneasr]

Separating idp.hyra.abc.com, singin.hydra.abc.com and connector.hydra.abc.com is maybe not a good idea. The question is, if idp.hydra.abc.com is even required and if singin and connector should be one. It might be good if hydra took over a lot of the complexity and on the same time, it complicates service flows.

[aeneasr]

Complicated: The login endpoint could redirect back to hydra which would redirect that request to Google, MS, and so on. The callback would be a hydra endpoint which would validate the authentication request through a "connection" database lookup and a quick check in at the idp and redirect to the consent endpoint which would issue the consent token.

[aeneasr]

Alternative: The login endpoint handles all the third party authentication on its own and is simply responsible for returning a consent token. This would require much more sophisticated login / consent endpoints

[aeneasr]

One question that has me spinning in circles is how to handle social / remote logins. There are two possibilities I see right now.

Terminology:

• IdP(s): Identity Provider(s)
• Remote / Social IdP: This could be Google, Microsoft, ...
• Local IdP: In monolithic applications, there is always a "user database" where the username, email and password are stored and retrieved. A local IdP is a such a user database which is usually under full control of the hydra administrator and is run in the same network or domain.

The remote party is seen as a standalone IdP

The remote idps (e.g. google) are considered a local idp: When the users signs in using a social login, no lookup is made if that user exists at the local idp. This basically means that we can skip the sign up process.

Workflow (simplified)

1. User chooses to use google for authentication
2. User is redirected to https://hydra.com/oauth2/auth?idp=google&client_id=...
3. User is redirected to https://google.com/sign-in
4. After successful authorization at google, the user is redirected to e.g. https://hydra.com/idp/google/callback
5. Hydra authenticates the user / validates the request by e.g. decoding the id token or making some sort of request to google
6. Hydra asks for the users consent
7. Hydra issues an authorization code / access token

Pro:

• Reduced complexity: No roundtrip or registration at the "local" identity provider required when using social logins
• No need to introduce a functionality like "social connectors" because we can use social idps in the same fashion we use local idps.

Cons:

• Not sure how this scenario would work out if local and social IdPs are used. Because local IdP would create a user account but social IdP would not.
• Not sure how to fetch user data in an orderly fashion from social IdPs. We would need some sort of adapter, but user profile requirements vary a lot across projects.
• Any user can simply "sign up/in" using a social IdP (if activated). There is no "control" possible. Not sure how banning accounts, invitation only sign up and similar things would work.
• If the remote party discontinues services or bans the user account, the local user account will be lost as well.

The remote party acts as an intermediate connector

In contrary to above, the remote party is an identity provider as well, but hydra acts as a bridge between it and the local idp. Every user requires thus an account at the local idp and the remote idp in order to sign in.

Workflow (simplified)

1. User chooses to use google for authentication
2. User is redirected to https://hydra.com/oauth2/auth?connector=google&client_id=...
3. User is redirected to https://google.com/sign-in
4. After successful authorization at google, the user is redirected to e.g. https://hydra.com/connectors/google/callback
5. Hydra authenticates the user / validates the request by e.g. decoding the id token or making some sort of request to google
6. Hydra checks the connection database. It contains fields remote_id, local_id and connector. If the user id returned by the connector exists, hydra uses the local id for further lookup.
7. Hydra checks the local IdP(s) for the found local user id and may ask if that user can be authenticated (this could also be done through policies)
8. If all of the above was successful, hydra will ask for the user's consent
9. Hydra issues an authorization code / access token

Pro / Con: TBD

[aeneasr]

There will be no more middleware, just one client. This will clean up the code base a lot. This interface should basically be implemented by any client in any language. Maybe we can use something like Thrift to build a client library for various languages

[aeneasr]

Connection needs an endpoint which returns

{
   Authorization: 'bearer .....',
}

or some other value for non-OAuth2 requests. This allows for sign up trickery

[aeneasr]

Alternative: The login endpoint handles all the third party authentication on its own and is simply responsible for returning a consent token. This would require much more sophisticated login / consent endpoints

is actually the smarter choice, if the endpoint is returning a "connection token" including the remote_id

[aeneasr]

The consent token should be able to carry a remote subject and id

[aeneasr]

2FA

https://github.com/google/google-authenticator/wiki/Key-Uri-Format

https://tools.ietf.org/html/rfc6238

[aeneasr]

https://github.com/pquerna/otp

[aeneasr]

I have decided to switch from postgres to RethinkDB and use the changes() feature to minimize db queries and significantly increase performance.

[aeneasr]

http://openid.net/specs/openid-connect-core-1_0.html#ServerMTI

[aeneasr]

https://community.pingidentity.com/servlet/fileField?retURL=%2Fapex%2FPingIdentityArticle%3Fid%3DkA340000000Gs7WCAS&entityId=ka340000000GvdRAAS&field=Associated_File__Body__s

[aeneasr]

http://docs.hdyra.apiary.io/#

[iOliverNguyen]

Could you list all Hydra APIs (implemented or will be implemented when #62 is merged) in Apiary? This would help us decide whether Hydra is fitted to our system. Thank you a lot :)

[aeneasr]

Already on it :)

[aeneasr]

0.1-beta is ready. Please try things, and break them. :D

[tacurran]

@aeneasr good history and well written too