Comments (4)
I'm pretty sure this is not the place to change logic of when a token should be sent or not. The correct place is in the code that creates the AuthorizationToken to begin with because that code is the one that populates the list of domains.
It isn't clear how exactly that code would know/decide which domains to put in the list, but it's clearly not something the http lib can do.
For the purposes of OIDC tokens, that code is the StandardIdentityManager in https://github.com/opencadc/ac/tree/master/cadc-gms, which currently uses the hostname of the OIDC issuer.
I will transfer this issue to that repo and rename for clarity.
from ac.
The current implementation of the IentityManager has to validate/augment an incoming auth token (AuthorizationTokenPrincipal) by calling the issuer and, if successful, it creates an AuthorizationToken and adds it to the credential set so that calls can be made on the user's behalf. Use case: subsequent call to a GMS service using IvoaGroupClient.
At the point of the validate(), the code only knows it's own trusted token issuer and this only knows that the operator of that software trusts that issuer (host) as a place to send user tokens, so that's the only domain it adds to the AuthorizationToken. Given that this is the "user service" and "groups" are tightly coupled with users, this is close to being the right choice for the user case.
For example, if the issuer was https://srv.example.net/users
and the GMS service was https://srv.example.net/groups
then the current code would enable a service that was configured with that issuer to successfully send the token to that gms service to check groups. A slightly different setup like issuer https://issuer.example.net/
and https://gms.example.net/
would not work as-is because of the different hostnames, but that's almost a bug... I say almost because deriving a domain from a hostname and then assuming tokens are valid for the whole domain is a huge assumption that won't always be true and will sometimes be really dangerous!
I haven't seen or understood something in OIDC docs that says how code can figure out where it is safe to send tokens (eg in the context of the StandardIdentityManager.validate()
method). I feel like the issuer should be the one to declare or advertise where tokens can be safely sent (which internet hosts/domains are part of it's "administrative domain")... lots TBD here and certainly open to enhancements, but they have to be safe :-)
from ac.
Would just like to flag this issue as increasingly important as the UK deployment of GMS (on a different host as IAM, but some domain) is being deployed.
from ac.
PR #143 improves this (minimally) so that AuthorizationToken includes the hostname of the OICD issuer and the hostname of a trusted GMS service (configured as usual via cadc-registry config). Since the LocalAuthority API only allows for one {standardID} = {resourceID} mapping, this enables a single GMS service that is rpesumably co-located with the OIDC issuer.
from ac.
Related Issues (18)
- LocalAuthority used when reading XML documents HOT 1
- access control cert-only user connection HOT 1
- client = new GMSClient(URI.create("ivo://oats.inaf.it/gms")) - hard-coded string HOT 1
- tokens from the openid authorize endpoint do not include domains HOT 1
- LdapConfig still required dbrcHost entry in config HOT 1
- Who Am I Servlet redirect logic HOT 1
- GroupURI does not enforce ivos cheme HOT 1
- identity manager making cert users anonymous HOT 1
- GMSClient always uses the CERT AuthMethod.
- UserClient assumes X509 AuthMethod HOT 1
- JSON output allowing numbers that begin with zero HOT 1
- JSON Listing contains invalid data
- Add profiling to GMSClient HOT 1
- Cookies created by cadc-access-control-server are not RFC compliant HOT 3
- Remove hardcoded LDAP config file name HOT 1
- cadc-tomcat Authenticator should use configured URL as-is
- Error message returned from ac service on account request leaks user information HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ac.