Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Suggestion] Authentication Flow #2

Open
diogotcorreia opened this issue Oct 26, 2020 · 8 comments
Open

[Suggestion] Authentication Flow #2

diogotcorreia opened this issue Oct 26, 2020 · 8 comments
Assignees
@diogotcorreia @Hugo-Marques-work
Labels
discussion Needs to be discussed as a team

Comments

@diogotcorreia
Copy link
Member

diogotcorreia commented Oct 26, 2020
edited
Loading

Hugo Mark Of Approval: 👍

This is my idea for the Authentication Flow for HS Inventory. This need to be discussed in the first HS Inventory meeting.

Fenix Authentication 👍

Obviously, we're going to require everyone to login through Fenix. This ensures that only members of the HS Community can login. A list of authorized users can be managed through the admin console by an admin, by adding/removing their IST ID.

Json Web Tokens (JWT) - Short-lived

JWT tokens can be used as short-lived tokens for faster authorization. They don't need to be checked against a database, which means they're extremely efficient. They work by signing the token with a secret, so their content can't be changed without the signature failing.
We can use these tokens as a short-lived authentication method, that only lasts around 10 to 20 minutes.
These tokens have the downside that they can't be revoked remotely, in case they're compromised. That's why it's important to keep their lifespan as short as possible.

Access Tokens - Long-lived refresh tokens

Along with JWT, a refresh token is sent to the client on login. This can have a longer lifespan (let's say, a month), which would allow the client to ask for a JWT when theirs expires. In contrary to a JWT, this refresh token is stored in the database, which means it's slower to authenticate, but it can be remotely disabled if it's compromised.

Using JWT and refresh tokens together

For a very secure application, we can take advantage of both types of tokens. The authentication/authorization flow would be as follows:

  1. The user clicks the login button and gets redirected to Fenix to authenticate.
  2. The user gets back to the HS Inventory website, and the backend authenticates the user with the Fenix API token.
  3. If successful, a JWT and a refresh token are sent back to the client.
  4. The client makes whatever requests they make within 10 minutes, that is, before the JWT expires.
    The server verifies the signature of the JWT, authorizing the request.
  5. The client wants to make another request, but the JWT has expired. Instead, it sends a request with the refresh token, to which the server replies with a newly generated JWT. The server has to query the database in this request.
  6. The client can now do requests for another 10 minutes.
  7. The client can do this for a month (tbd), assuming the refresh token is stored in local storage or cookies.
  8. After a month, the client is required to login again through the Fenix API, repeating the process.

A cron job should be created to periodically delete expired refresh tokens from the database.

Flowchart:

Authentication Flowchart
@diogotcorreia diogotcorreia added the discussion Needs to be discussed as a team label Oct 26, 2020
@diogotcorreia diogotcorreia mentioned this issue Oct 26, 2020
Open
7 tasks
@Hugo-Marques-work
Copy link
Contributor

For less experiencied readers:
Authentication: Who can access the application
Authorization: What a user can do in the application

@Hugo-Marques-work
Copy link
Contributor

I agree with the general idea, but depending on what we're using this could automatically be done. We should decide wether we want to have full control here before deciding manual/automatic

@Hugo-Marques-work
Copy link
Contributor

I sugest using a diagram (can be a simple drawing) illustrating the flow ( i get it, but others might not)

@Hugo-Marques-work
Copy link
Contributor

If we decide to use this flow:

If we kicked a person, and the refresh token is not expired, would the person be able to access the application?

@Hugo-Marques-work
Copy link
Contributor

Fenix authentication: Should be doable inside the application, having to go to a console is kinda garbage

@diogotcorreia
Copy link
Member Author

@Hugo-Marques-work

If we kicked a person, and the refresh token is not expired, would the person be able to access the application?

No, if we delete the refresh token from the database, the user would lose access within 10 minutes (until the JWT expires).

Fenix authentication: Should be doable inside the application, having to go to a console is kinda garbage

Yes, Fenix authentication would be done in the UI. It shouldn't be hard to login.

I suggest using a diagram (can be a simple drawing) illustrating the flow ( i get it, but others might not)

I'll work on that for the meeting :)

@Hugo-Marques-work
Copy link
Contributor

Hugo-Marques-work commented Oct 27, 2020
edited
Loading

Yes, Fenix authentication would be done in the UI. It shouldn't be hard to login.

My bad, i was reffering to

A list of authorized users can be managed through the admin console by an admin, by adding/removing their IST ID

@diogotcorreia
Copy link
Member Author

@Hugo-Marques-work Ah, yeah. I was referring to the admin dashboard as 'admin console'. It is supposed to be a UI.

@Hugo-Marques-work Hugo-Marques-work added bug Something isn't working and removed bug Something isn't working labels Nov 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@diogotcorreia diogotcorreia

@Hugo-Marques-work Hugo-Marques-work

Labels
discussion Needs to be discussed as a team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@diogotcorreia @Hugo-Marques-work