almet/blog.notmyidea.org
1
0
Fork 0
mirror of https://github.com/almet/notmyidea.git synced 2025-04-28 19:42:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
blog.notmyidea.org/drafts/mozilla-the-sagrada-token-server.html
Travis CI User c7913636fd Update documentation
2019-07-02 22:54:50 +00:00

222 lines
No EOL
8.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico" />
<title>Mozilla - The sagrada token server - Carnets Web</title>
<meta charset="utf-8" />
<link href="https://blog.notmyidea.org/feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="Carnets Web Full Atom Feed" />
<link rel="stylesheet" href="https://blog.notmyidea.org/theme/css/poole.css"/>
<link rel="stylesheet" href="https://blog.notmyidea.org/theme/css/syntax.css"/>
<link rel="stylesheet" href="https://blog.notmyidea.org/theme/css/lanyon.css"/>
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=PT+Serif:400,400italic,700%7CPT+Sans:400">
<link rel="stylesheet" href="https://blog.notmyidea.org/theme/css/styles.css"/>
<meta name="tags" contents="sagrada" />
<meta name="tags" contents="python" />
<meta name="tags" contents="browserid" />
<style>
h1 {
font-family: "Avant Garde", Avantgarde, "Century Gothic", CenturyGothic, "AppleGothic", sans-serif;
padding: 80px 50px;
text-align: center;
text-transform: uppercase;
text-rendering: optimizeLegibility;
color: #202020;
letter-spacing: .1em;
text-shadow:
-1px -1px 1px #111,
2px 2px 1px #eaeaea;
}
#main {
text-align: justify;
text-justify: inter-word;
}
#main h1 {
padding: 10px;
}
.post-headline {
padding: 15px;
}
</style>
</head>
<body>
<!-- Target for toggling the sidebar `.sidebar-checkbox` is for regular
styles, `#sidebar-checkbox` for behavior. -->
<input type="checkbox" class="sidebar-checkbox" id="sidebar-checkbox">
<!-- Toggleable sidebar -->
<div class="sidebar" id="sidebar">
<div class="sidebar-item">
<div class="profile">
<img src="https://blog.notmyidea.org/theme/img/profile.png"/>
</div>
</div>
<nav class="sidebar-nav">
<a class="sidebar-nav-item" href="/">Articles</a>
<a class="sidebar-nav-item" href="https://www.vieuxsinge.com">Brasserie du Vieux Singe</a>
<a class="sidebar-nav-item" href="http://blog.notmyidea.org/pages/about.html">A propos</a>
<a class="sidebar-nav-item" href="https://twitter.com/ametaireau">Messages courts</a>
<a class="sidebar-nav-item" href="https://github.com/almet">Code</a>
</nav>
</div> <div class="wrap">
<div class="masthead">
<div class="container">
<h3 class="masthead-title">
<a href="https://blog.notmyidea.org/" title="Home">Carnets Web</a>
</h3>
</div>
</div>
<div class="container content">
<div id="main" class="posts">
<h1 class="post-title">Mozilla - The sagrada token server</h1>
<span class="post-date">19 mars 2012</span>
<img id="illustration" src="" />
<div class="post article">
<h1>🌟</h1>
<p>Since I started, back in december, we started a new project on the services
team, which aims to bring a central authentication point on our server side.
This had been motivated by the fact that we are switching our services
authentication mechanism from basic HTTP auth to browserid (this was basically
for sync in the first place, and now for AITC, a.k.a Market Place APIs).</p>
<ul class="simple">
<li>A Token Server ?</li>
<li>Services architecture (server / nodes)</li>
<li>MAC auth</li>
<li>Crypto / Signing
- HKDF
- Signing the tokens
- Parsing browserid assertions</li>
<li>Resources</li>
</ul>
<div class="section" id="a-token-server">
<h2>A token server ?</h2>
<p>So, we don't want to be tied to any authentication mean on our platform. The
best way to accomplish this is to chose one and to provide a way to map all the
potential authentication means to the chosen one.</p>
<p>In addition to trade a browserid assertion for another authentication token,
the mission of the token server is to retrieve the node allocation of a
particular user, and eventually assign it to a node.</p>
<p>To resume, we take any authentication scheme (browserid for now) and
trade it for another one we can use for all of our services. This has several
advantages:</p>
<ul class="simple">
<li>We don't need to check the browserid assertion at each request. This avoids
doing crypto at each request.</li>
<li>As said, we are able to deal with different authentication schemes. If we
want to use openid, we just need to add support for it on one location</li>
<li>The node allocation is done anyways (the user need to know wich node it is
assigned to) so it doesn't add an extra call for this.</li>
</ul>
</div>
<div class="section" id="our-architecture">
<h2>Our architecture</h2>
<p>I'm talking about nodes, users and services. Let's clarifiy a bit all this.
Because at the services team, we mostly care about being able to scale our
infrastructures without (too much) pain, we try to avoid SPOFs (Single Point Of
Failure) of any sort. For this purpose we expose at the authentication layer
information about the node that need to be retrieved by the clients.</p>
<p>What? clients? Okay, here is what the authentication looks like:</p>
<pre class="literal-block">
User-Agent Token Server Node
| | |
| &lt;bid assertion&gt; | |
|-----------------------&gt;| |
| | |
|&lt;token + userid + node&gt; | |
|&lt;-----------------------| |
| | |
| &lt;service-data + token&gt; |
|-----------------------------------------------&gt;|
</pre>
<p>In HTTP terms, looks like this, the user agent (client) gives a browserid
assertion and receives back information about the service it should deal with</p>
<pre class="literal-block">
&gt; HTTP POST http://token.services.mozilla.org/1.0/&lt;app&gt;/&lt;app-version&gt;
&gt; Data: # some authentication information (browserid assertion in our case)
&lt; Header: 200 OK
&lt; Data: &quot;{'id': token, 'key': secret, 'uid': uid, 'api_endpoint': api_endpoint}&quot;
</pre>
<p>(This is an hand crafted request/response flow)</p>
<p>We don't bother about the signing and crypto details in here as it is explained
in a later section, but basically, we asked for a node, with a specific
browserid assertions and now we have an <em>api_endpoint</em> to send our requests
against, along with the token.</p>
</div>
<div class="section" id="crypto-details">
<h2>Crypto details</h2>
<p>All the flow is explained in our documentation, for the token server</p>
</div>
Vous pouvez également <a onclick="(function(){
let here = document.location;
document.location = `http://pdf.fivefilters.org/simple-print/url.php?size=A4#${here}`;
return false;
})();return false;">télécharger cet article en pdf</a>.
</div>
</div>
</div>
<label for="sidebar-checkbox" class="sidebar-toggle"></label>
<script>
(function(document) {
var i = 0;
// snip empty header rows since markdown can't
var rows = document.querySelectorAll('tr');
for(i=0; i<rows.length; i++) {
var ths = rows[i].querySelectorAll('th');
var rowlen = rows[i].children.length;
if (ths.length > 0 && ths.length === rowlen) {
rows[i].remove();
}
}
})(document);
</script>
<script>
/* Lanyon & Poole are Copyright (c) 2014 Mark Otto. Adapted to Pelican 20141223 and extended a bit by @thomaswilley */
(function(document) {
var toggle = document.querySelector('.sidebar-toggle');
var sidebar = document.querySelector('#sidebar');
var checkbox = document.querySelector('#sidebar-checkbox');
document.addEventListener('click', function(e) {
var target = e.target;
if(!checkbox.checked ||
sidebar.contains(target) ||
(target === checkbox || target === toggle)) return;
checkbox.checked = false;
}, false);
})(document);
</script>
<!-- Piwik -->
<script type="text/javascript">
var _paq = _paq || [];
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//tracker.notmyidea.org/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', 3]);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<noscript><p><img src="//tracker.notmyidea.org/piwik.php?idsite=3" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink