Skip to content

GitLab

Closed
Created by Cédric Le Ninivin@cedric.leninivinMaintainer2 of 5 tasks completed2/5 tasks
Report abuse

WIP: ERP5Security: Add JSON Web Token for authentication

A new Pluggable Authentication Plugin for PAS using JSON Web Token (JWT) has been implmented ERP5. It provides two services:

  • ILoginPasswordHostExtractionPlugin to extract JWT
  • IAuthenticationPlugin to set JWT upon user validation

It uses one cookie to authenticate:

  • erp5_jwt when doing Same Site request
  • erp5_cors_jwt when doing Request from other Domains

Here is an example of erp5_jwt cookie HEADER

{
  "alg": "HS256",
  "typ": "JWT"
}

erp5_jwt payload:

{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580
}

erp5_cors_jwt payload:

{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580,
  "cors": ["https://domain1.com", "https://domain2.com"]
}

iat is the time of issue time, sub the relative url of the "user" and ptid the tid of the password. erp5_cors_jwt cookie adds cors containing the list of origin authorised to be Origin or Referer of a request.

The token is signed by a unique secret which can be updated (invalidating all current cookies) on the Plugin.

How to use:

  1. Add pyjwt to your software release
  2. Rebase this branch on top of yours
  3. Restart your zopes 😃
  4. Activate the Plugin. This step is not necessary if you created your ERP5 Site with this branch thanks to 696d5969.
  5. Access plugin management interface acl_users and add "ERP5 JSON Web Token Plugin".
  6. Activate the plugin as an
    • Extraction Plugins
    • Authentication Plugins
  7. Disable erp5_users plugin
  8. XXX This is temporary: Disable __ac cookie by commenting the lines setting the cookie in setAuthCookie
  9. jwt will take over on all new logins.

HowTo:

  • Invalidate Token of user: Use "Invalidate Token" Action on a user
  • Set Expiration Time for Token: Use "Set Expiration Time" tab on JWT plugin in acl_users

TODO:

  • Describe what problem is addressed by this MR
  • Give a high level description of the new authentication flow
  • Provide expiration date for the token. This expiration date should be configurable in the Plugin view
  • Add action on user to invalidate token
  • Update erp5_auto_logout and CookieCrumbler to not set __ac cookie when other plugins are in charge of authentication
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7