Giter Club home page Giter Club logo

macaroon-session-example's Introduction

Gif of session refresh

Getting Started

  • Install docker and compose
  • docker-compose build web && docker-compose up

It may be necessary to change the SERVER_NAME and AUTH_ORIGIN env variables in the docker-compose.yml file depending on your local compose/docker setup. They should match the url used to access the service.

What is this?

This is a quick and dirty proof-of-concept for refreshing a macaroon session in browser, without communicating with a third party.

How it works:

  1. A user logs in and is given a session macaroon that will last the length of their browser session.
  2. That session macaroon has a third party caveat requiring that they prove they are logged in with the auth service (in this case, the same server).
  3. The user is initially given a discharge macaroon proving they are logged in (after successful login), but it is short-lived.
  4. An invisible sandboxed iframe from the auth service is embedded into the page, and contains the key necessary to mint a new discharge macaroon.
  5. At any time (user manually clicks a "refresh" link, or automatically in response to user interaction) the user's discharge macaroon can be refreshed by using cross-document messaging with the auth iframe, extending the user's session.
  6. Because the discharge key is available to the client, a limit is placed on the length of time a session may be refreshed.
  7. When the user's session expires (they forget to refresh) or the refresh limit is reached, they are automatically logged out.

Inspiration

This is directly inspired by a suggestion from the Macaroons Paper:

Local Discharging of Third-party Caveats

Third-party caveats can be used to implement decentralized authorization using holder-of-key proofs from authentication servers, as explained in earlier examples. However, third-party caveats may be discharged not just by networked servers, but by any isolated protection domain capable of holding secrets— such as, for example, a Web browser frame or extension, a mobile application, or a hardware token that is available locally to a user at a client.

The delegation of third-party caveat discharging to such local principals can improve both performance (by reducing network messages), as well as the precision of authorization policy enforcement. For example, a collection of unrelated Web services may use the same federated login system; if each service maintains separate sessions, logging out of one service may leave the user, unknowingly, still logged in and authorized in other services, and thereby put them at risk. Instead, using macaroons, each request, on all sessions, may derive a fresh, or very short-lived, caveat discharge from the third-party federated login service (e.g., via a hidden iframe that holds the caveat root key to derive discharge macaroons and is accessible from each service’s Web page). Thus, a federated login service may hold the authoritative credentials, and services may be decoupled, yet the user need log out only once to immediately de-authorize all services.

Notes

  • This is mostly a way to improve the user experience around session staleness, and does little to improve security. The caveat discharge key is available to the browser so a compromised session could be extended indefinitely unless other measures are put in place.
  • This implementation is just one example of an approach, and the design could be modified to suit other needs. (It may not be desirable to force a logout even if the user is refreshing, there may be different ways in which the target service and the auth service agree on keys, the auth service may choose not to embed the caveat root key locally, etc)
  • The particular choice of cookies to use and data to expose to different channels is somewhat flexible and should be carefully considered. This example exposes the session macaroon signature to javascript but not the session macaroon itself.

macaroon-session-example's People

Contributors

ecordell avatar srenatus avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

srenatus dmitry-n-medvedev

macaroon-session-example's Issues

Original source?

Is there any chance that the JS source for this project is or could be available? The POC is nifty, but being able to trace what you've actually done in the browser would be invaluable

ImportError: cannot import name 'escape' from 'cgi'

Hi,

I am trying to run this web example for macaroons using all the requirements need for this project. For this I have already install a virtual environment using virtualenv labelled "macaroons_flask". In this virtual environment I have the following dependencies installed:

(macaroon_flask) ➜  macaroon-session-example git:(master) ✗ pip list
Package         Version
--------------- -------
arrow           0.4.4
Flask           0.10
Flask-WTF       0.9.5
hiredis         0.1.5
isodate         0.5.1
itsdangerous    2.0.1
Jinja2          3.0.2
libnacl         1.8.0
MarkupSafe      2.0.1
pip             21.1.2
pymacaroons     0.5.6
python-dateutil 2.8.2
redis           2.10.3
setuptools      57.0.0
six             1.16.0
Werkzeug        2.0.2
wheel           0.36.2
WTForms         1.0.5

My problem is that when I am trying to run the web application - once I am inside the virtual environment - I run the command python run.py but I get the following error:

(macaroon_flask) ➜  macaroon-session-example git:(master) ✗ python run.py 
Traceback (most recent call last):
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/run.py", line 3, in <module>
    from app import app
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/app/__init__.py", line 3, in <module>
    from app.authentication.controllers import mod_auth as auth_module
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/app/authentication/controllers.py", line 3, in <module>
    from app.authentication.views import (
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/app/authentication/views/__init__.py", line 1, in <module>
    from app.authentication.views.login_view import LoginView
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/app/authentication/views/login_view.py", line 6, in <module>
    from app.authentication.forms import LoginForm
  File "/Users/samuel/Individual Project Code/Macaroons/macaroon-session-example/app/authentication/forms.py", line 1, in <module>
    from wtforms.fields import TextField, PasswordField, BooleanField
  File "/Users/samuel/Individual Project Code/my_environments/macaroon_flask/lib/python3.9/site-packages/wtforms/__init__.py", line 11, in <module>
    from wtforms import validators, widgets
  File "/Users/samuel/Individual Project Code/my_environments/macaroon_flask/lib/python3.9/site-packages/wtforms/widgets/__init__.py", line 1, in <module>
    from wtforms.widgets.core import *
  File "/Users/samuel/Individual Project Code/my_environments/macaroon_flask/lib/python3.9/site-packages/wtforms/widgets/core.py", line 3, in <module>
    from cgi import escape
ImportError: cannot import name 'escape' from 'cgi' (/usr/local/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/cgi.py)

Any advice to solve this issue? In my case, I am using Python v3.9. Thinking is something related to compatibility issues with the version of python I am using in the virtual environment.

Thanks

Update of Project

Hi,

I am trying to run your project in my local environment, trying to use the latest versions of the dependencies used. Question, for any reason do you have an update of this project with the latest updates in the dependencies?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.