Skip to content

Session authentication for REST endpoints #4741

Description

@chrisburr

As #4650 requires the addition of authenticated REST API endpoints in DIRAC that don't use certificate authentication, I think it would be a good idea to decide how we want to manage the session credentials. This can then be the basis for which services can start to be exposed over HTTPS in a RESTful way.

I think there are two options which are most suitable, both of which would be sent as a HTTP header (Authorization: Bearer <token>):

  1. Session token: A random number is generated and stored in a database. Every connection then has to query the database to find which user and group this sessions corresponds to.
  2. JSON Web Tokens (JWT/RFC 7519): The user identifier, group and any other metadata is stored as a token which is then signed using a secret on the server. The validity of this signature, and hence the session data, can be validated without needing to store any state on the server side.

I think using JWT would be beneficial for the following:

  1. Scalability: Services can validate credentials without adding any load to a database or a centralised authentication service.
  2. Reliability: If the database is ever unavailable users can still create new sessions and continue to use pre-existing sessions.

The main downside of JWT is that revoking compromised tokens can be tricky. This probably isn't a big deal as we currently can't revoke credentials very easily but there are methods by which it could be done. The simplest would probably be to add an "epoch" field to each user in the CS which is then included in all tokens which are issued. The "epoch" field can then incremented to revoke all of a user's pre-existing tokens on demand.

Other things that we might want to consider:

  • How does this work with instances running for multiple VOs? Should the VO be included in the token?
  • Should this support limiting the scope of tokens at a finer-grained level than the current groups (e.g. including a list of services a given token is/isn't allowed to access)?

Are there any other considerations or reasonable alternatives that people can think of?

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions