server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon pushbits

Improve authentication mechanism

Open eikendev opened this issue 4 years ago • 9 comments

Most importantly, we should enable authentication via, e.g., OAuth bearer tokens, and support 2FA.

eikendev avatar Jan 25 '21 13:01 eikendev

Are there any standards and/or golang libraries you prefere for this? As I want to look into the actual implementation of such auth a little bit.

CubicrootXYZ avatar May 03 '21 18:05 CubicrootXYZ

Hm, I think this depends on the goals we want to achieve:

  • If we want to aim for a web-based UI, then we need to setup a login page where login data is posted to and verified, respond with a session cookie and keep track of user sessions.
  • If the CLI is in focus instead, OAuth access tokens would be interesting: the login page returns a token (with limited lifetime), which is stored by pbcli and added to the Authorization header for any request it makes.

Personally, I'd prefer sticking to the CLI because it is less work to maintain, but happy to receive input on this.

eikendev avatar May 03 '21 18:05 eikendev

OAuth sounds fine for me. It is a widely adopted standard so it can be used for a GUI later too. Maybe an option for longterm (limitied access) tokens might be great too.

CubicrootXYZ avatar May 04 '21 15:05 CubicrootXYZ

I searched a bit through the available libraries. There are 2 gin-specific oauth libraries one based on the basic oauth lib and another one from zalando. But both are not updated in the last few years.

Another option would be to just use the basic oauth2 lib, that would also give some more freedom in handling the authentication, e.g. if you plan to make authentication mechanics switchable via config options.

CubicrootXYZ avatar May 04 '21 17:05 CubicrootXYZ

I think the first option go-oauth2/gin-server appears fine, it glues together Gin (which we are already using) and the basic oauth2 lib. Presumably the reason why it seems so inactive is that there's not a lot of code, but still the code that's there is convenient for us to use. Since it's from go-oauth2, I would trust it more than some random package.

eikendev avatar May 04 '21 19:05 eikendev

I implemented oauth as an optional authentication mechanism in a branch of my fork.

I would enjoy any comments and ideas on how to improve it further. Currently the only thing I am missing (and want to implemented) is the ability to create longterm tokens.

I intentionally tried to apply a modular scheme to the authentication process, so that other authentication methods can easily be implemented if needed.

CubicrootXYZ avatar May 30 '21 10:05 CubicrootXYZ

That's awesome! Would you mind creating a pull request for it? We can treat it as WIP, but it makes the review more convenient.

eikendev avatar May 30 '21 18:05 eikendev

Sure created https://github.com/pushbits/server/pull/29

CubicrootXYZ avatar May 30 '21 18:05 CubicrootXYZ

Thanks, will have a look on Tuesday!

eikendev avatar May 30 '21 21:05 eikendev