* [Galene] Token authentication
@ 2021-10-30 0:09 Juliusz Chroboczek
2021-10-30 0:11 ` [Galene] " Juliusz Chroboczek
0 siblings, 1 reply; 2+ messages in thread
From: Juliusz Chroboczek @ 2021-10-30 0:09 UTC (permalink / raw)
To: galene
Hi,
I think I've got a working prototype of token authentication for Galene.
There are still some features missing (for example authentication for
recorded files, or finer
The configuration file looks like this:
{
"authServer": "http://localhost:1234",
"authKeys": [{
"alg": "HS256",
"k": "AQIDBA=="
}]
}
The authServer field is the URL of the authentication server; HTTP is
supported, but not recommended -- it's not a good idea to carry passwords
in the clear.
The authKeys field is an array of (public) keys in JWK format; multiple
keys are allowed if they have distinct "kid" fields. Right now, only
HS256, HS384 and HS512 are supported, I'll look at public key crypto at
some later date.
The protocol is as follows. When a client wishes to join a group, it
makes a POST request to the address given by authServer with a JSON object
that looks like this:
{"group": "groupname", "username": "john", "password": "topsecret"}
The server receives the request, checks that the username/password is
correct for the given group, then builds the following claim:
{"sub": "john", "aud": "groupname", "permissions": {"present": true},
"iat": now, "exp": now+30s}
It then wraps it in a signed JWT which it sends in reply to the POST
request. The client retrieves the encoded token, and dumps it into the
"token" field of the "join" request. The server checks the signature of
the token, and, if correct, grants the claimed permissions.
What follows is a sample authorisation server.
#!/usr/bin/python3
import json
import jwt
from datetime import datetime, timezone, timedelta
from aiohttp import web
import aiohttp_cors
secret = b"\1\2\3\4"
users = {
"john": "secret",
"peter": "secret2",
}
async def handler(request):
body = await request.json()
if not ("username" in body and "group" in body and "password" in body):
return web.HTTPBadRequest()
username = body["username"]
if not (username in users) or users[username] != body["password"]:
return web.HTTPUnauthorized()
now = datetime.now(tz=timezone.utc)
token = {
"sub": username,
"aud": body["group"],
"permissions": {"present": True},
"iat": now,
"exp": now + timedelta(seconds=30),
}
signed = jwt.encode(token, secret, algorithm="HS256")
return web.Response(
headers={"Content-Type": "aplication/jwt"},
body=signed,
)
app = web.Application()
route = app.router.add_route("POST", "/", handler)
cors = aiohttp_cors.setup(app, defaults={
"*": aiohttp_cors.ResourceOptions(
expose_headers="*",
allow_headers="*",
)
})
cors.add(route)
web.run_app(app, port=1234)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-30 0:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-30 0:09 [Galene] Token authentication Juliusz Chroboczek
2021-10-30 0:11 ` [Galene] " Juliusz Chroboczek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox