(re-send after joining the core list)
Chris & Bryan,
On 04/30/2014 10:58 AM, Bryan Davis wrote:
I would advocate designing all services such that they
are ready to be
used externally even if they are initially firewalled or proxied. I
agree that making "internal only" service interfaces is much easier
but over the longer term it becomes very likely that some things that
were built to be internal only will be found to be useful to expose
directly to the outside world. In my experience it is much trickier to
graft a robust auth layer onto a service that already has multiple
internal consumers than it is to build this feature into a service
from the start.
I completely agree with this. Relying on consistent access right checking in
a variety of front-ends is a brittle solution. Any exploit in one of those
front-ends has potentially nasty consequences.
Here is a sketch of an authentication system that's a bit more robust, and
potentially also more efficient:
* the authentication service is the only service with access to passwords
and other sensitive user info
* users retrieve signed and time-limited tokens from the authentication
service, for example using OAuth2; these could be transmitted using
HTTP-only cookies
* most other services have no built-in privileges; they merely pass on
tokens provided by users to backend services. This reduces the risk of
confused deputies and helps to limit the potential impact of exploits.
* tokens ideally encode the most common rights and are signed (example: JSON
web tokens in Oauth2). This allows backend services to verify their validity
by checking the signature & time without needing to call back into the
authentication service. More complex rights are handled by calling back into
the auth service.
* all authenticated client connections are encrypted with TLS
I have started to draft an RFC on this at [2]. Please chime in if you are
interested.
Gabriel
[1]:
https://www.mediawiki.org/wiki/Requests_for_comment/Content_API
[2]:
https://www.mediawiki.org/wiki/Requests_for_comment/SOA_Authentication