Roundup Tracker - Issues

Issue 2551061

classification
Develop experimental support for JSON Web Tokens (jwt)
Type: rfe Severity: normal
Components: API Versions: devel
process
Status: fixed fixed
:
: rouilj : rouilj
Priority: normal : rest

Created on 2019-09-28 00:08 by rouilj, last changed 2019-09-28 00:41 by rouilj.

Messages
msg6664 Author: [hidden] (rouilj) Date: 2019-09-28 00:08
Implemented basic support for JWT's.

Use case:

A user using a time tracking service that takes an issue id and keeps
a running count of how much time was spent on it. With a single button
push it can add the recorded time to the roundup issue.

You don't want to give this third party service your roundup username
and password. We need a way for this third part service to impersonate
you and have access to create a roundup timelog entry. Then add it to
the associated issue. This should not allow the third party service to
see the issue (except the ``times`` property), user, or other
information in the tracker. Answer: create a new role that has exactly
the required permissions. Add that role to a jwt where the subject is
the user. The remote service can use this jwt to authenticate and authorize
the needed access.

Core functionality: add support to rest interface to accept a JWT that sets
up a session using the claimed list of roles for a particular subject
(userid). Also add config item used as the signing key for the
jwt. Validation of JWT's should be disabled by default and if there is
not at least 32 bits of key data.

Add tests for core implementation.

Add documentation to rest.txt describing how to add rest endpoint to
create a compatible jwt.

This could also be a useful mechanism for issue2551058 - Provide mechanism
to restrict access to API by user

Scope does not include:

1. recording all jwts created by a user
2. using the record to allow jwts to be revoked and ignored by the roundup core
3. provide a UI page for viewing/managing/revoking jwts
4. provide a rest api for revoking jwts

If there are others who find this useful they can propose how to
implement the above.

For item 1, adding a jwt class with a claim property could work. Also
add a jwt multilink to the User class. When a request to create a jwt
comes in, make a new instance in the db and use the item id number as
the unique jti (JWT ID) claim in the generated jwt. When the jwt is
presented, if the matching jwt object in the db is retired, or
otherwise invalid (using an explicit valid boolean property), the jwt
is rejected.

The down side is that jwts that are expired will still clutter the db
even though they can't be used. The link between theuser object and
the jwt object makes it difficult to delete the jwt objects.

See also discussion on the roundup development mailing list [Roundup-devel]
subject "using JWT with roundup". Links:

https://sourceforge.net/p/roundup/mailman/message/36768968/
https://sourceforge.net/p/roundup/mailman/message/36772438/
msg6665 Author: [hidden] (rouilj) Date: 2019-09-28 00:41
committed in rev5878:1b57d8f3eb975878
History
Date User Action Args
2019-09-28 00:41:13rouiljsetstatus: new -> fixed
resolution: fixed
messages: + msg6665
2019-09-28 00:08:49rouiljcreate