Authentication with REST APIs
336 views
Skip to first unread message
Samuel
Sep 1, 2016, 7:10:25 AM9/1/16
to dex-dev
Hey dex team,
We're deploying Dex within our microservices infrastructure and thanks again for releasing this great service!
For a simple web app, the implementation is straightforward and well documented using the OIDC "authorization code flow".
On the other hand, I'm a bit confused on how a REST API can authenticate a user. I'm thinking about the following implementations:
- the REST API could require an access_token; (as the dex-worker schema API).
But how to validate it? I've seen that the token introspection endpoint could validate an access token but it looks like it is not available with DEX. - the REST API could require an authorization code (fetched by a web app after the user logged in); and then request an id token/access token to DEX using the token endpoint.
What would be the best practise?
Best regards,
Samuel
Eric Chiang
Sep 1, 2016, 12:40:50 PM9/1/16
to Samuel, dex-dev
To recap, the REST API is kind of a mess but is split between two groups. A bootstrapping API (on the overlord) and a user management API (on the workers). The former just uses a preset token, the latter uses an ID Token as a bearer token for auth. The user management API requires your client to be an "admin client" (poorly named) which basically means that it can talk to the API .The user the ID Token is issued for must be an "admin user" for most of the endpoints.
> the REST API could require an access_token
; (as the dex-worker schema API).
We're redesigning dex now, and yes I think it's more reasonable to use this strategy. It's more compliant with existing OAuth2 client. But good news, dex already returns the ID Token as a access_token[0]! So you can already do this. However please don't rely on dex returning you a JWT as the access_token, as the underlying scheme may change.
> But how to validate it? I've seen that the token introspection endpoint could validate an access token but it looks like it is not available with DEX.
How do you validate the access_token for any OAuth2 service that doesn't implement this spec? I generally just use the token and report any errors I get back. It'd be reasonable to implement this endpoint, but I skeptical about how much use it would see.
We're redesigning dex now, and yes I think it's more reasonable to use this strategy. It's more compliant with existing OAuth2 client. But good news, dex already returns the ID Token as a access_token[0]! So you can already do this. However please don't rely on dex returning you a JWT as the access_token, as the underlying scheme may change.
> But how to validate it? I've seen that the token introspection endpoint could validate an access token but it looks like it is not available with DEX.
How do you validate the access_token for any OAuth2 service that doesn't implement this spec? I generally just use the token and report any errors I get back. It'd be reasonable to implement this endpoint, but I skeptical about how much use it would see.
> the REST API could require an authorization code (fetched by a web app after the user logged in); and then request an id token/access token to DEX using the token endpoint
.
Using this authorization code for auth is weird, since you don't need a client secret to get one.
You may also want to look at the PR that got merged this morning that lets you get an access_token with client credentials alone, then use it to auth against the API[1].
[0] https://github.com/coreos/dex/blob/d758e38cd4ec316f0b737404f8a6ff4bed26dff0/server/http.go#L535-L540
[1] https://github.com/coreos/dex/pull/529
Using this authorization code for auth is weird, since you don't need a client secret to get one.
You may also want to look at the PR that got merged this morning that lets you get an access_token with client credentials alone, then use it to auth against the API[1].
[0] https://github.com/coreos/dex/blob/d758e38cd4ec316f0b737404f8a6ff4bed26dff0/server/http.go#L535-L540
[1] https://github.com/coreos/dex/pull/529
--
You received this message because you are subscribed to the Google Groups "dex-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+unsubscribe@googlegroups.com.
To post to this group, send email to dex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/a769339b-b841-421c-890f-1a8d88117a33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages