(re-send after joining the core list)
Chris & Bryan,
On 04/30/2014 10:58 AM, Bryan Davis wrote:
I would advocate designing all services such that they are ready to be used externally even if they are initially firewalled or proxied. I agree that making "internal only" service interfaces is much easier but over the longer term it becomes very likely that some things that were built to be internal only will be found to be useful to expose directly to the outside world. In my experience it is much trickier to graft a robust auth layer onto a service that already has multiple internal consumers than it is to build this feature into a service from the start.
I completely agree with this. Relying on consistent access right checking in a variety of front-ends is a brittle solution. Any exploit in one of those front-ends has potentially nasty consequences.
Here is a sketch of an authentication system that's a bit more robust, and potentially also more efficient:
* the authentication service is the only service with access to passwords and other sensitive user info
* users retrieve signed and time-limited tokens from the authentication service, for example using OAuth2; these could be transmitted using HTTP-only cookies
* most other services have no built-in privileges; they merely pass on tokens provided by users to backend services. This reduces the risk of confused deputies and helps to limit the potential impact of exploits.
* tokens ideally encode the most common rights and are signed (example: JSON web tokens in Oauth2). This allows backend services to verify their validity by checking the signature & time without needing to call back into the authentication service. More complex rights are handled by calling back into the auth service.
* all authenticated client connections are encrypted with TLS
I have started to draft an RFC on this at [2]. Please chime in if you are interested.
Gabriel
[1]: https://www.mediawiki.org/wiki/Requests_for_comment/Content_API [2]: https://www.mediawiki.org/wiki/Requests_for_comment/SOA_Authentication