WIP: ERP5Security: Add JSON Web Token for authentication (!138) · Merge Requests · nexedi / erp5

WIP: ERP5Security: Add JSON Web Token for authentication

A new Pluggable Authentication Plugin for PAS using JSON Web Token (JWT) has been implmented ERP5. It provides two services:

ILoginPasswordHostExtractionPlugin to extract JWT
IAuthenticationPlugin to set JWT upon user validation

It uses one cookie to authenticate:

erp5_jwt when doing Same Site request
erp5_cors_jwt when doing Request from other Domains

Here is an example of erp5_jwt cookie HEADER

{
  "alg": "HS256",
  "typ": "JWT"
}

erp5_jwt payload:

{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580
}

erp5_cors_jwt payload:

{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580,
  "cors": ["https://domain1.com", "https://domain2.com"]
}

iat is the time of issue time, sub the relative url of the "user" and ptid the tid of the password. erp5_cors_jwt cookie adds cors containing the list of origin authorised to be Origin or Referer of a request.

The token is signed by a unique secret which can be updated (invalidating all current cookies) on the Plugin.

How to use:

Add pyjwt to your software release
Rebase this branch on top of yours
Restart your zopes 😃
Activate the Plugin. This step is not necessary if you created your ERP5 Site with this branch thanks to 696d5969.
Access plugin management interface acl_users and add "ERP5 JSON Web Token Plugin".
Activate the plugin as an
- Extraction Plugins
- Authentication Plugins
Disable erp5_users plugin
XXX This is temporary: Disable __ac cookie by commenting the lines setting the cookie in setAuthCookie
jwt will take over on all new logins.

HowTo:

Invalidate Token of user: Use "Invalidate Token" Action on a user
Set Expiration Time for Token: Use "Set Expiration Time" tab on JWT plugin in acl_users

TODO:

Describe what problem is addressed by this MR
Give a high level description of the new authentication flow
Provide expiration date for the token. This expiration date should be configurable in the Plugin view
Add action on user to invalidate token
Update erp5_auto_logout and CookieCrumbler to not set __ac cookie when other plugins are in charge of authentication

A new Pluggable Authentication Plugin for PAS using [JSON Web Token (JWT)](https://jwt.io/introduction/) has been implmented ERP5. It provides two services:
* ILoginPasswordHostExtractionPlugin to extract JWT
* IAuthenticationPlugin to set JWT upon user validation

It uses one cookie to authenticate:
* erp5_jwt when doing Same Site request
* erp5_cors_jwt when doing Request from other Domains

Here is an example of erp5_jwt cookie
HEADER
```
{
  "alg": "HS256",
  "typ": "JWT"
}
```
erp5_jwt payload:
```
{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580
}
```
erp5_cors_jwt payload:
```
{
  "iat": 1475828460,
  "sub": "person_module/1",
  "ptid": 268471363270312580,
  "cors": ["https://domain1.com", "https://domain2.com"]
}
```
`iat` is the time of issue time, `sub` the relative url of the "user" and `ptid` the tid of the password. 
erp5_cors_jwt cookie adds `cors` containing the list of origin authorised to be Origin or Referer of a request.

The token is signed by a unique secret which can be updated (invalidating all current cookies) on the Plugin.

How to use:
1. Add [pyjwt](https://lab.nexedi.com/cedric.leninivin/slapos/commit/2c266bc5b7da4269b660f2384de027a3a0ca1993) to your software release
1. Rebase this branch on top of yours
2. Restart your zopes :smiley: 
3. Activate the Plugin. This step is not necessary if you created your ERP5 Site with this branch thanks to 696d5969.
  1. Access plugin management interface `acl_users` and add "ERP5 JSON Web Token Plugin". 
  2. Activate the plugin as an
       * Extraction Plugins
       * Authentication Plugins
  3. Disable erp5_users plugin
4. XXX This is temporary: Disable __ac cookie by commenting the lines setting the cookie in [setAuthCookie](https://lab.nexedi.com/nexedi/erp5/blob/master/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py#L18)
5. jwt will take over on all new logins.

HowTo:
* Invalidate Token of user: Use "Invalidate Token" Action on a user
* Set Expiration Time for Token: Use "Set Expiration Time" tab on JWT plugin in acl_users

TODO:
- [ ] Describe what problem is addressed by this MR
- [ ] Give a high level description of the new authentication flow
- [x] Provide expiration date for the token. This expiration date should be configurable in the Plugin view
- [x] Add action on user to invalidate token
- [ ] Update [erp5_auto_logout](https://lab.nexedi.com/nexedi/erp5/blob/master/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py) and [CookieCrumbler](https://lab.nexedi.com/nexedi/erp5/blob/master/product/ERP5Type/patches/CookieCrumbler.py#L146) to not set __ac cookie when other plugins are in charge of authentication

WIP: ERP5Security: Add JSON Web Token for authentication

Check out, review, and merge locally