Issue 2551061
Created on 2019-09-28 00:08 by rouilj, last changed 2019-09-28 00:41 by rouilj.
Messages | |||
---|---|---|---|
msg6664 | Author: [hidden] (rouilj) | Date: 2019-09-28 00:08 | |
Implemented basic support for JWT's. Use case: A user using a time tracking service that takes an issue id and keeps a running count of how much time was spent on it. With a single button push it can add the recorded time to the roundup issue. You don't want to give this third party service your roundup username and password. We need a way for this third part service to impersonate you and have access to create a roundup timelog entry. Then add it to the associated issue. This should not allow the third party service to see the issue (except the ``times`` property), user, or other information in the tracker. Answer: create a new role that has exactly the required permissions. Add that role to a jwt where the subject is the user. The remote service can use this jwt to authenticate and authorize the needed access. Core functionality: add support to rest interface to accept a JWT that sets up a session using the claimed list of roles for a particular subject (userid). Also add config item used as the signing key for the jwt. Validation of JWT's should be disabled by default and if there is not at least 32 bits of key data. Add tests for core implementation. Add documentation to rest.txt describing how to add rest endpoint to create a compatible jwt. This could also be a useful mechanism for issue2551058 - Provide mechanism to restrict access to API by user Scope does not include: 1. recording all jwts created by a user 2. using the record to allow jwts to be revoked and ignored by the roundup core 3. provide a UI page for viewing/managing/revoking jwts 4. provide a rest api for revoking jwts If there are others who find this useful they can propose how to implement the above. For item 1, adding a jwt class with a claim property could work. Also add a jwt multilink to the User class. When a request to create a jwt comes in, make a new instance in the db and use the item id number as the unique jti (JWT ID) claim in the generated jwt. When the jwt is presented, if the matching jwt object in the db is retired, or otherwise invalid (using an explicit valid boolean property), the jwt is rejected. The down side is that jwts that are expired will still clutter the db even though they can't be used. The link between theuser object and the jwt object makes it difficult to delete the jwt objects. See also discussion on the roundup development mailing list [Roundup-devel] subject "using JWT with roundup". Links: https://sourceforge.net/p/roundup/mailman/message/36768968/ https://sourceforge.net/p/roundup/mailman/message/36772438/ |
|||
msg6665 | Author: [hidden] (rouilj) | Date: 2019-09-28 00:41 | |
committed in rev5878:1b57d8f3eb975878 |
History | |||
---|---|---|---|
Date | User | Action | Args |
2019-09-28 00:41:13 | rouilj | set | status: new -> fixed resolution: fixed messages: + msg6665 |
2019-09-28 00:08:49 | rouilj | create |