EDIT: Issueshttps://dev.e-taxonomy.eu/redmine/https://dev.e-taxonomy.eu/redmine/redmine/favicon.ico?14691914852021-03-03T16:54:27ZEDIT Project Management
Redmine feature request #9508 (New): OpenID Connect 1.0 authentication with ORCIDhttps://dev.e-taxonomy.eu/redmine/issues/95082021-03-03T16:54:27ZAndreas Kohlbecker
<p>ORCID offers an OpenID Connect 1.0 (a simple identity layer on top of the OAuth 2.0 protocol) service which allows to use ORCIDs to authenticate users <a href="https://github.com/ORCID/ORCID-Source/blob/master/orcid-web/ORCID_AUTH_WITH_OPENID_CONNECT.md" class="external">ORCID_AUTH_WITH_OPENID_CONNECT</a> an example of using in Spring Boot application is also provided in the the ORCIF github repository: <a href="https://github.com/ORCID/orcid-openid-examples/blob/master/really-simple-orcid-oauth/src/main/java/org/orcid/simple/ReallySimpleOrcidOauthApplication.java">https://github.com/ORCID/orcid-openid-examples/blob/master/really-simple-orcid-oauth/src/main/java/org/orcid/simple/ReallySimpleOrcidOauthApplication.java</a></p>
feature request #6332 (New): cdm-dataportal as oauth2 client of cdm-remote instanceshttps://dev.e-taxonomy.eu/redmine/issues/63322017-01-16T10:14:01ZAndreas Kohlbecker
<p>The drupal modules providing oauth2 client functionality:</p>
<ul>
<li><a href="https://www.drupal.org/project/oauth2_client" class="external">oauth2_client</a> - (Drupal 7, Drupal 8 in beta state)</li>
<li><a href="https://www.drupal.org/project/miniorange_oauth_client" class="external">miniorange_oauth_client</a> - (Drupal 7)</li>
</ul>
<p>In addition to that the cdm users need to be mapped to according drupal users. see the diagram in <a class="issue tracker-6 status-5 priority-11 priority-default closed" title="task: evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2 (Closed)" href="https://dev.e-taxonomy.eu/redmine/issues/6118">#6118</a> for details </p>
bug #6248 (Closed): allow machine clients to access /manage/* OAuth2 protected web serviceshttps://dev.e-taxonomy.eu/redmine/issues/62482016-12-06T14:19:53ZAndreas Kohlbecker
<p>The creation of the lucene indexes can not be triggered from Jenkins jobs or from the dataportal settings pages, since the /manage/ web services requires authentication.</p>
<p>The best solution to this problem is to allow the definition of global management user accounts which apply to any cdm-remote instance started by a system user.<br>
These users credentials must therefore not be stored in the cdm databases. To store them independently from the cdm instances a configuration file located in <code>$HOME/.cdmLibrary</code> is the preferred storage solution. </p>
<hr>
<p><strong>Old issue description:</strong></p>
<p>The authorization problem in the dataportal will be solved as soon as the oauth2 client capabilities are implemented into the data portal module: <a class="issue tracker-5 status-1 priority-12 priority-high14" title="feature request: cdm-dataportal as oauth2 client of cdm-remote instances (New)" href="https://dev.e-taxonomy.eu/redmine/issues/6332">#6332</a>. In case of jenkins it is not possible to provide proper cdm user credentials for each of the instances to be indexed. In this case another grand type is needed. <br>
For this service endpoint it must me possible to authorite via the OAuth2 grant type 'client' (<a href="https://tools.ietf.org/html/rfc6749#section-4.4">https://tools.ietf.org/html/rfc6749#section-4.4</a>).</p>
<p>TODO:</p>
<ul>
<li>enable grant type 'client' for /manage/</li>
<li>check for valid clients based on a key. The allowed keys are stored in $USER_HOME/cdm-remote-client-keys` each in a separate line. A key must conform to a md5 hash (or UUID?).</li>
<li>provide script for jenkins to authenticate --> subticket</li>
<li>implement client authentication into the dataportal. This should be doable by making use of the OAuth2 plugin available for Drupal7, see <a class="issue tracker-6 status-5 priority-11 priority-default closed" title="task: evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2 (Closed)" href="https://dev.e-taxonomy.eu/redmine/issues/6118">#6118</a> --> subticket</li>
</ul>
feature request #6232 (New): secure OAuth2 grant types 'implicit' or 'password' by TSL/SSL.https://dev.e-taxonomy.eu/redmine/issues/62322016-12-01T15:14:57ZAndreas Kohlbecker
<p>for details see <a class="issue tracker-6 status-5 priority-11 priority-default closed" title="task: evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2 (Closed)" href="https://dev.e-taxonomy.eu/redmine/issues/6118">#6118</a></p>
task #6125 (New): Implement tests for OAuth2 in cdmlib-remotehttps://dev.e-taxonomy.eu/redmine/issues/61252016-10-11T16:09:16ZAndreas Kohlbecker
<p>The tests in spring-projects/spring-security-oauth samples/oauth2/sparklr project are a good start!</p>
task #6118 (Closed): evaluate spring-security-auth2 and spring-cloud-security as a framework for ...https://dev.e-taxonomy.eu/redmine/issues/61182016-10-05T11:18:11ZAndreas Kohlbecker
<p><a href="http://projects.spring.io/spring-security-oauth" class="external">spring-security-oauth</a> & <a href="http://cloud.spring.io/spring-cloud-security/" class="external">Spring-Cloud-Security</a> & bring OAuth2 for spring applications.</p>
<ul>
<li>OAuth2 in general is provided by <a href="http://projects.spring.io/spring-security-oauth/docs/oauth2.html" class="external">spring-security-oauth</a>
<ul>
<li>For full details, see the <a href="http://projects.spring.io/spring-security-oauth/docs/oauth2.html" class="external">Spring Security OAuth 2 Developers Guide</a></li>
</ul></li>
<li>The oauth2-authorization-server feature as supported by spring-boot: <a href="spring-boot#boot-features-security-oauth2-authorization-server" class="external">http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-security-oauth2-authorization-server</a></li>
<li>spring-cloud-security provides the client side authentication feature for a distributed environment with support for proxying the requests.
<ul>
<li><a href="http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html">http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html</a></li>
<li><a href="https://github.com/spring-cloud/spring-cloud-security">https://github.com/spring-cloud/spring-cloud-security</a></li>
</ul></li>
</ul>
<a name="OAuth2"></a>
<h2 >OAuth2<a href="#OAuth2" class="wiki-anchor">¶</a></h2>
<ul>
<li><a href="https://tools.ietf.org/html/rfc6749" class="external"><strong>rfc6749</strong></a></li>
<li><a href="https://entwickler.de/online/agile/so-funktioniert-oauth2-134316.html">https://entwickler.de/online/agile/so-funktioniert-oauth2-134316.html</a></li>
</ul>
<a name="OAuth2-security-threads-and-consideration"></a>
<h3 >OAuth2 security threads and consideration<a href="#OAuth2-security-threads-and-consideration" class="wiki-anchor">¶</a></h3>
<ul>
<li><a href="https://tools.ietf.org/html/rfc6819" class="external">rfc6819 - OAuth 2.0 Threat Model and Security Considerations</a></li>
<li><a href="http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html">http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html</a></li>
</ul>
<a name="Specification-details"></a>
<h3 >Specification details<a href="#Specification-details" class="wiki-anchor">¶</a></h3>
<p>The OAuth2 specification (<a href="https://tools.ietf.org/html/rfc6749" class="external">rfc6749</a>) defines four (six) grant types:</p>
<table><thead>
<tr>
<th>rfc6749 section</th>
<th>grant_type</th>
<th>implemented and tested in cdmlib</th>
</tr>
</thead><tbody>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.1" class="external">4.1. Authorization Code Grant</a></td>
<td><code>grant_type=authorization_code</code></td>
<td><strong>OK</strong></td>
</tr>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.2" class="external">4.2. Implicit Grant</a></td>
<td><code>grant_type=implicit</code></td>
<td><strong>OK</strong></td>
</tr>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.3" class="external">4.3. Resource Owner Password Credentials Grant</a></td>
<td><code>grant_type=password</code></td>
<td>undesirable</td>
</tr>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.4" class="external">4.4. Client Credentials Grant</a></td>
<td><code>grant_type=client_credentials</code></td>
<td>see <a class="issue tracker-4 status-5 priority-10 priority-lowest closed" title="bug: allow machine clients to access /manage/* OAuth2 protected web services (Closed)" href="https://dev.e-taxonomy.eu/redmine/issues/6248">#6248</a></td>
</tr>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.5" class="external">4.5. Extension Grants</a> - (extensibility mechanism for defining additional types)</td>
<td></td>
<td>not needed</td>
</tr>
<tr>
<td><a href="https://tools.ietf.org/html/rfc6749#section-4.5" class="external">6. Refreshing an Access Token</a></td>
<td><code>grant_type=refresh_token</code></td>
<td><strong>TODO</strong></td>
</tr>
</tbody></table>
<p>When using <code>implicit</code> or <code>password</code> it is strongly required that the communication secured by <strong>TSL/SSL</strong>. TSL/SSL can be enforced in <code>spring-security-oauth</code>. --> <a class="issue tracker-5 status-1 priority-11 priority-default" title="feature request: secure OAuth2 grant types 'implicit' or 'password' by TSL/SSL. (New)" href="https://dev.e-taxonomy.eu/redmine/issues/6232">#6232</a></p>
<p>Test Requests for testing various grant types during development are found in <a class="attachment" href="https://dev.e-taxonomy.eu/redmine/attachments/995">OAuth2-test.sh</a></p>
<a name="Example-implementations"></a>
<h3 >Example implementations<a href="#Example-implementations" class="wiki-anchor">¶</a></h3>
<p>The reference implementation is found at github: <a href="https://github.com/spring-projects/spring-security-oauth" class="external">spring-projects/spring-security-oauth</a> whereas the <code>samples/oauth2/sparklr</code> project is most relevant for us. This is an example for the password grant type: <a href="http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/">http://blog.e-zest.net/rest-authentication-using-oauth-2-0-resource-owner-password-flow-protocol/</a></p>
<a name="Usage-scenarios"></a>
<h2 >Usage scenarios<a href="#Usage-scenarios" class="wiki-anchor">¶</a></h2>
<a name="Dataportal-as-OAuth2-Client-using-grant_typeauthorization_code"></a>
<h3 >Dataportal as OAuth2 Client using <code>grant_type=authorization_code</code><a href="#Dataportal-as-OAuth2-Client-using-grant_typeauthorization_code" class="wiki-anchor">¶</a></h3>
<p><img src="https://dev.e-taxonomy.eu/redmine/attachments/download/997/OAuth2-sequence-diagram-DataPortal.png" alt="" /></p>
<a name="Dataportal-as-OAuth2-Client-using-grant_typeimplicit"></a>
<h3 >Dataportal as OAuth2 Client using <code>grant_type=implicit</code><a href="#Dataportal-as-OAuth2-Client-using-grant_typeimplicit" class="wiki-anchor">¶</a></h3>
<a name="Notes"></a>
<h2 >Notes<a href="#Notes" class="wiki-anchor">¶</a></h2>
<a name="spring-security-oauth"></a>
<h3 >spring-security-oauth<a href="#spring-security-oauth" class="wiki-anchor">¶</a></h3>
<p>The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:</p>
<ul>
<li> <code>AuthorizationEndpoint</code> is used to service requests for authorization. Default URL: <code>/oauth/authorize</code>. This enpoint should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security WebSecurityConfigurer:</li>
</ul>
<pre> @Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login").permitAll().and()
// default protection for all resources (including /oauth/authorize)
.authorizeRequests()
.anyRequest().hasRole("USER")
// ... more configuration, e.g. for form login
}
</pre>
<p><strong>Note:</strong> if your Authorization Server is also a Resource Server then there is another <a href="http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#security-filter-chain" class="external">security filter chain</a> with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths not to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the WebSecurityConfigurer above. (see <a href="http://projects.spring.io/spring-security-oauth/docs/oauth2.html#configuring-the-endpoint-urls" class="external">configuring-the-endpoint-urls</a>)</p>
<ul>
<li> <code>TokenEndpoint</code> is used to service requests for access tokens. Default URL: <code>/oauth/token</code>.</li>
</ul>
<p>The following filter is required to implement an OAuth 2.0 Resource Server:</p>
<ul>
<li> The <code>OAuth2AuthenticationProcessingFilter</code> is used to load the Authentication for the request given an authenticated access token.</li>
</ul>
<a name="Anonymous-Authentication"></a>
<h3 >Anonymous Authentication<a href="#Anonymous-Authentication" class="wiki-anchor">¶</a></h3>
<p>Is useful in cases when you don't want to skip authentication for pages which should behave differently for authenticated and not authenticated users (see <a href="http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/#anonymous" class="external">spring-security 4.1.3.RELEASE #anonymous</a></p>
<p>Is configured automatically when using the WebSecurityConfigurerAdapter. By default anonymous users will be represented with token containing the role "ROLE_ANONYMOUS".</p>