-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client credentials grant allowing command line and server-to-server access to VP protected resources #362
Comments
@bselu-cso I think I know where you're headed but for posterity could you clarify and expand your use case a bit? What problem are you trying to solve? Is this about api access using bearer tokens? Would this bypass Nginx? VP is currently very focused on humans interacting with browsers but if this for could be accommodated with reasonable expansion and you'd be willing to support the work for at least a year I'd consider it. |
My use-case is indeed not the typical human-browser interaction. Instead, I have a client app which needs to talk to some service. Nginx would not be bypassed. The service itself is not secured in any way, security would be provided by nginx / VP by verifying the client-id and client-secret against an oauth-server. As the client app doesn't have any means of interaction with a user, the client credentials would be either built-in or provided by a secure storage facility. For clarity, please have a look at the client credentials flow I found in the Okta docs: https://developer.okta.com/docs/concepts/oauth-openid/#client-credentials-flow As for the support I'd need to clarify this with my contractee but it might be possible. To proceed I'd need to know, whether I'm headed in the right direction and it makes sense at all to extend Vouch for this feature, or I'm totally mistaken and should rather fork, or even start something new from scratch. |
I have wanted to do something similar as well, I have nginx+Vouch sitting in front of a MediaWiki install, and I want to write a script that uses the MediaWiki API, but it needs to get through Vouch first. Because it's a script, it would be a lot easier to use something like the client credentials grant to get through Vouch instead of trying to emulate an OAuth flow in a browser. |
@bgehman that sounds reasonable As a first step towards integration and design could you outline how you'd like to trigger/request and manage this flow with the existing endpoints |
I thought about this and figured that we'd just need I created a sequence diagram using PlantUML. Not sure, whether it is complete / correct. Please check it out. I use |
hmm this doesn't really map to the client credentials grant in OAuth, this is more of its own thing. I would not recommend sending the client secret in a GET request, that goes against the spec and all best practices. I'll try to come up with an alternative flow that I think would map better to existing specs. |
@aaronpk IMHO this pretty much corresponds to the OAuth spec in https://tools.ietf.org/html/rfc6749#section-4.4. Where do you think does it deviate? |
Places where your diagram deviates from OAuth:
This isn't to say all of these points are bad, but I would not call this OAuth, and I would definitely also fix the GET request so that credentials aren't sent in the query string. |
Thanks a lot for your post. I see your points. I think I looked at it from a different perspective. For me, the client app including nginx and vouch would be what is depicted as "Client" in RFC6749:
I guess you relate ngnix / vouch rather as part of the authorization server. In this case not much of what is part of my sequence diagram is covered by OAuth, that's for sure. :-) My intention was to make things as transparent as possible. For the service this is not a problem at all, as it's hidden behind ngnix / vouch. However, the client must be tought some way of authentication. That's how the credentials ended up in the GET request. But of course you're right, credentials shouldn't be in a GET. Maybe I should separate the authentication completely by a seperate POST. This would only make a small difference for the client implementation. I'd love to see your idea of an OAuth-compliant flow. |
@aaronpk wrt to...
Would love to hear your thoughts if you're in a position to flesh out some design thinking. VP is definitely an odd hybrid of OAuth client and server. Should rename it "Janus" :) |
The way I was thinking about it is Vouch is actually already its own authorization server by the fact that it is issuing its own JWTs and validating them. The current method of issuing them is to redirect the browser to some other authorization server to figure out who the user is, and then it sets the JWT cookie down to the browser. This is a pretty typical flow where one AS delegates user authentication to another AS, we see it all the time between various OIDC servers, a prominent example being how you can configure your Google Workspace domain to redirect users to your own OIDC server to authenticate them. In that situation, Google is still its own AS issuing its own tokens for its own services, but the user accounts live in your own OIDC server. With that background, here is what I would suggest for Vouch:
Here's a sequence diagram This maps exactly to the OAuth client credentials grant, and also makes it very straightforward to work with from scripts and code rather than messing around with redirects or setting Cookie headers from code. |
@aaronpk fantastic stuff! Thanks for fleshing that out and for the diagram. wrt..
IMHO it'd be preferable for Vouch Proxy to delegate that authority to the upstream OAuth provider if possible. The more VP can glean from the IdP the better. @bselu-cso how does that strike you? That would seem to provide what you're looking for, yeah? |
Thanks for the nice diagram, @aaronpk. That would be working for my use-case, I guess. One note: From my point of view it would make more sense to have the client send its POST authentication not to vouch directly but rather over ngnix forwarding it to vouch. Reasons:
What do you guys think of that? |
@bselu-cso thanks for those... VP doesn't really care where a request originates. It tries to be as dumb a service as possible. For VP development there's always a few common setups that I consider to be the ones which must be accommodated in order to not break existing setups in the field... Everything behind nginx....
Vouch lives "somewhere else"
The second case allows for round robin scalability. It's very likely that the VP instance is running behind an Nginx instance, but you don't know. That setup accommodates Kubernetes as well. Essentially, I assume that all endpoints can be accessed directly or proxied. If we tied VP tightly to Nginx we'd get into akward testing setups and an additional layer of abstraction for only marginal improvement. And it would likely break existing setups which we always try to avoid. Running on a socket is an interesting use case and I see how it could be more secure though I'm unsure of the gains. If you cared to work on that I'd prefer we separate that out into another issue and PR to carry the concept. |
Hi @bnfinet @bselu-cso @aaronpk I would really be interested in this feature. Currently, I understand that vouch proxy is only intended for use with a browser with openid grant type But it was to ask if you plan to develop it. And if so, with your guide, offer to collaborate. Thank you in advance. |
@sp-manuel-jurado thanks for chiming in here. Yes it seems like this would be a good addition to VP. Am I hearing that you would have some interest in working on this? That would be most excellent. |
@bnfinet This is a use case for us too. I would like to chime in and say I'd be interested in contributing to this feature and its support. |
I figured that VouchProxy currently supports the regular "authorization code grant" only.
I'm looking for a possibility to get the "client credentials grant" working, like described here https://tools.ietf.org/html/rfc6749#section-4.4. I am thinking about extending VP so that it supports this kind of authorization flow.
Does this make sense anyway? Where in the code would it be a good idea to integrate this?
The text was updated successfully, but these errors were encountered: