Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accept OAuth token instead of password hash #440

Closed
Brutus5000 opened this issue Jun 2, 2019 · 10 comments · Fixed by #784
Closed

Accept OAuth token instead of password hash #440

Brutus5000 opened this issue Jun 2, 2019 · 10 comments · Fixed by #784
Assignees
@Askaholic
Labels
enhancement in progress requires client changes

Comments

@Brutus5000
Copy link
Member

Brutus5000 commented Jun 2, 2019
edited
Loading

There should be only one system responsible for authentication and that is the API.
Instead of sending the hashed password to the server, the client should fetch a token from the API (which it does anyway) and send it to the server.
This would also improve client security, as a token can be stored rather than a hashed password.

Best case would be to do it in 2 steps: Add an additional command for Oauth login with parallel usage, then disable direct login.
@Askaholic
Copy link
Collaborator

I like the idea of doing authentication all in one place (namely the API) but wouldn't this be moving in the direction of a high availability API? If the server relies on the API for authentication, then if the API goes down, you can't play FAF, unless you were already logged in before the API went down.

I thought this was something you wanted to avoid.

@Brutus5000
Copy link
Member Author

Brutus5000 commented Jun 2, 2019
edited
Loading

Yes and no. What I want to avoid is losing data if the api is not available (coupling services synchronously) .
The client already has a dependency to the API for the vault etc.

Also that depends on the implementation of the token fetching. As long as the client has a valid token it does not need to query a new one for login. If we make tokens life long enough this would be only a corner case.

@Askaholic
Copy link
Collaborator

Even if the client has a valid token, if the API is down, the server has no way of verifying that the token is valid so it will still not be able to authenticate new users.

But yes, if all we're doing is authentication, then the API going down will not cause data loss. If this is the only concern then I'm all for moving authentication to the API. Having authentication all in one place will make it easier to switch to a different hashing implementation. Plus, API communication is encrypted via TLS.

@Brutus5000
Copy link
Member Author

The point of OAuth tokens is that you do not need to ask the original server. if you can validate the signature of the token you believe everything it claims.

@Askaholic
Copy link
Collaborator

Wont you need the API's secret key in order to verify the token? I'm trying to read the API code but it is unclear what algorithm the macSigner is using. I'm assuming HMAC with sha256 as that's the default on https://jwt.io/

@Brutus5000
Copy link
Member Author

Brutus5000 commented Jun 3, 2019
edited
Loading

You would configure the secret as an environment variable (or file if you go for private/public key files)

@Askaholic
Copy link
Collaborator

Yes I know how to configure application secrets, that was not the question. Adding the API secret key to the server means the API secret is not quite as secret any more and gives the server the ability to create valid API tokens. Regardless of whether or not it actually does this, it has the ability to, and therefore you can no longer be completely sure that valid tokens have actually been signed by the API and not one of the other entities out there that knows the secret key.

Sharing secret keys across multiple apps for the purpose of validating messages seems sketchy to me. I think the better solution would be to use use one of the asymmetric variants of JWT. That way the server will only need to know the API's public key and it can still verify that the token was signed by the API without introducing any additional security risks.

@Brutus5000
Copy link
Member Author

Ok. Yes, that is correct. This could be improved.

@Askaholic Askaholic mentioned this issue Jun 3, 2019
Closed
@Rackover
Copy link
Member

Rackover commented Jun 7, 2019

You can not play FAF if the API is down, in any way
Because the client relies on the API to get both the game files and (let's say the user already have the files) the gamemodes, and both are needed to host a game.
So API is already mandatory to play, there's no point avoiding to make auth go via API.

@Brutus5000
Copy link
Member Author

API side is in progress: FAForever/faf-java-api#323

Askaholic added a commit to Askaholic/server that referenced this issue Jul 20, 2019
@Askaholic
Merge branch 'develop' into feature/FAForever#440-jwt-login
cd9b279
@Askaholic Askaholic mentioned this issue Jul 20, 2019
Closed
@Askaholic Askaholic self-assigned this Jul 26, 2019
Askaholic added a commit to Askaholic/server that referenced this issue Jul 27, 2019
@Askaholic
Merge branch 'develop' into feature/FAForever#440-jwt-login
e788b2d
Askaholic added a commit to Askaholic/server that referenced this issue Jul 28, 2019
@Askaholic
Merge branch 'develop' into feature/FAForever#440-jwt-login
4877105
Askaholic added a commit to Askaholic/server that referenced this issue Jan 2, 2020
@Askaholic
Merge branch 'develop' into feature/FAForever#440-jwt-login
d9fa6a8
Askaholic added a commit to Askaholic/server that referenced this issue Jan 3, 2020
@Askaholic
Merge branch 'develop' into feature/FAForever#440-jwt-login
5ed42f9
@Askaholic Askaholic mentioned this issue May 27, 2020
Closed
@Sheikah45 Sheikah45 mentioned this issue May 23, 2021
Merged
@Sheikah45 Sheikah45 linked a pull request May 23, 2021 that will close this issue
Feature/#440 hydra token login #784
Merged
Askaholic added a commit that referenced this issue Jun 12, 2021
@Sheikah45 @Askaholic
Feature/#440 hydra token login (#784)
58c5887 
* Refactor `command_hello`

* Added `command_auth` for logging in with an API token

* Refactor hash computation in update_irc_password

* Choose IRC password as hex encoded string to avoid '/' character

* Use lowercase for resolved pub key value so it is not considered a valid config key

* Use separate variables for pub key file vs direct pub key

* More cleanup

* Use hydra token service for authentication

* import jwt algorithms

* fix import order

* Use pyjwk client

* change import

* Use older jwt version without jwkClient due to twilio constraints

update dependencies

* Use older version of twilio to get around pyjwt version lock

* Fix cron task

* Rename to OauthService

* log out decoded token

* correct decoded token field

* change sub to int

* Use aiohttp to get jwks

* Turn off audience verification

* Fix tests

* Revert db name change

* use mocks properly

* sort imports

* fix tests

* Fix codacy where possible

* Address formatting

* Remove unused import

* only update keys once fully retrieved

* Add detection for player id not in database

* log login method in metrics

* Make two labels for the user_logins

* make kid string its own fixture, log user not in db, use dict comprehension

* Fix test and formatting

* Pipenv lock from linux

* Change to prod hydra

* Fix comment

* Fix test formatting

Co-authored-by: Askaholic <askaholic907@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Askaholic Askaholic

Labels
enhancement in progress requires client changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/#440 hydra token login FAForever/server
3 participants
@Brutus5000 @Askaholic @Rackover