Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authentication improvements #324

Closed
tripodsan opened this issue May 31, 2023 · 1 comment · Fixed by #325
Closed

authentication improvements #324

tripodsan opened this issue May 31, 2023 · 1 comment · Fixed by #325
Assignees
@tripodsan
Labels
enhancement New feature or request released

Comments

@tripodsan
Copy link
Contributor

tripodsan commented May 31, 2023
edited
Loading

goals:

  • admin, preview and live are protected using the same access token (user only needs to login once)
  • ttl of user access token is long enough (1 work day) or can silently be refreshed
  • customer can use API keys, to either access a protected admin or page/live from a service
  • API keys can be revoked

implementation:

  • issue JWT, singed with helix private key (also see use custom JWT instead the one of the IDP. #287)
  • JWT can include owner/repo in sub claim (also see verify sub claim in jwt to match project #285 )
  • JWT can include key id in jid claim (also see verify jid claim #286)
  • if jid is included, it must match any of the configured access.apiKeyId values
  • if sub is included, it must match owner/repo of the project. sub should support wildcard for the repo
  • pipeline response no longer includes the public key, iss, and aud, but this is now stored in edge dict of .live
  • jti of the project should also be stored in the edge dict and updated automatically
  • API_KEYs must use a sub and jti claim
  • API_KEYs can also include a roles claim, that can be used to auth against admin
  • API_KEYs have admin@adobe.com as email. defining their role in the config overrides the ones defined in the roles claim
  • (edge dict of .live should have a list of projects with auth enforced on .live and pre-emptively check all requests)

future:

  • create customer UI to easily create API keys

/cc @stefan-guggisberg @davidnuescheler
@tripodsan tripodsan added the enhancement New feature or request label May 31, 2023
@tripodsan tripodsan self-assigned this May 31, 2023
@tripodsan tripodsan mentioned this issue Jul 10, 2023
Merged
tripodsan added a commit that referenced this issue Jul 11, 2023
@tripodsan
feat: use global auth
dfc0e06 
BREAKING CHANGE: former x-auth-* headers are no longer returned thus also needs new .hlx.live logic

- fixes #324
- fixes #285
- fixes #286
- fixes #287
github-actions bot pushed a commit that referenced this issue Jul 11, 2023
@semantic-release-bot
chore(release): 4.0.0 [skip ci]
1f5236b 
# [4.0.0](v3.11.20...v4.0.0) (2023-07-11)

### Features

* use global auth ([dfc0e06](dfc0e06)), closes [#324](#324) [#285](#285) [#286](#286) [#287](#287)

### BREAKING CHANGES

* former x-auth-* headers are no longer returned thus also needs new .hlx.live logic
@github-actions
Copy link

🎉 This issue has been resolved in version 4.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tripodsan tripodsan

Labels
enhancement New feature or request released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: use global auth adobe/helix-html-pipeline
1 participant
@tripodsan