I wanted to make sure no one gets slowed down in their PRs because of the
introduction of authorization.go. It has been added to all the services
and all HTTP endpoints are affected. Here is how to get around that.
The current impl of authorization.go is algorithm-agnostic regarding
the verification. The gateway or sidecar proxy (Envoy/Istio) will handle
the verification.
This endpoint has only two purposes (for now):
- expose token claims (userID and worskspaceID) via
GetClaims(), - check that
?workspace_id=someidmatches the token's{"aud": "your-workspace-id"}
Content of this document:
- How to work with the
authorization.gomiddleware- How does OAuth 2 works in this application
- Create a JWT token manually for testing purposes
- Step 1: Create a fake JWT token with the
"aud":"workspaceid"field - Step 2: Add the
Authorizationheader to your requests - Step 3: Add the query string
?workspace_id=in your request's URL - Examples of requests with
curlandhttpie - Important: how to fetch the token's workspaceID for using it in business logic
- Step 1: Create a fake JWT token with the
We chose to use the Client credentials grant. It is a 3-legs oauth flow: the end-user, the token provider and our application. We have two sides here:
Step 1 (scheme: Client Credential Grant):
- Resource Owner is the end-user with his password and email.
- Client is the
dna-meservice (confidential client using clientID and clientSecret). - Authorization Server is Auth0.
- Resource Server is ???
Step 2 (scheme: ???):
- Resource Owner is the end-user with his password and email.
- Client (public client) is the end-user's browser or CLI.
- Authorization Server is
dna-mewithPOST /oauth/token. - Resource Server is the DNA HTTP API which holds the end-users' protected resources.
Flow:
+--------+ client_id +---------+ +----------+
| | & client_secret | | | |
| | & password & email | | password & email | |
| |<--------------------| |<------------------| |
| Auth0 | | dna-me | | Resource |
| |-------------------->| |-----------------> | Owner |
| | token | | token | |
| | with aud + sub | | with aud sub | |
| | | | | |
+--------+ +---------+ +----------+
Go to jwt.io and create manually a token that has in its payload the aud field.
aud must contain a workspace ID (later, we could also have like an array). aud
is defined in the Claims struct in authorization.go.
Example of a payload:
{
"aud": "the-workspace-id-here"
}
In your request add the Authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0aGUtd29ya3NwYWNlLWlkLWhlcmUifQ.CinWEubEWZGk26Yp8nYXzDAEujh5M27L0JA8m5UfwBYIn your request you also need to add the ?workspace_id=the-workspace-id-here
query string. r.URL.Queries().
export TOK="Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhYmNkIn0.sOt2JK-rYn1JlSU53Uy2-E6D3OLunuGBsXvWbq8onI4"
curl -H "authorization: $TOK" "https://staging.dna.ori.co/api/alpha/deployments?workspace_id=abcd"
http "https://staging.dna.ori.co/api/alpha/deployments?workspace_id=abcd" authorization:$TOK
Note: in order to convert from curl to http I use curl2http (CLI or
on the web) 👍
In order to get the workspace ID for business logic needs, please use:
claims, err := GetClaims(ctx)
log.Printf("%s", claims.WorkspaceID)
Some images stored in this comment (edit it to see)