Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt #119

Merged
merged 14 commits into from
Jun 14, 2024
Merged

jwt #119

merged 14 commits into from
Jun 14, 2024

Conversation

enolfc
Copy link
Contributor

@enolfc enolfc commented May 22, 2024
edited
Loading

Summary

JWT authentication and an API wrapper capable of from a JWT token call the hub API with a valid internal hub token and return results.

The JWT authentication extends the egiauthenticator with a new handler listening at /jwt_login that when sent a valid JWT token it will authenticate the user as with the regular code grant based authentication and return a JSON like this:

{
  "token": "<a valid hub api token with same duration as the JWT>",
  "user": "<the hub user name>"
}

This could be used by an API client directly to perform any subsequent calls.

In the EOSC procurement node we add an additional wrapper so the client is not aware of the internal hub token. This wrapper will forward any call to the hub API and will attempt to authenticate with a JWT and use the returned token for the API call. The wrapper is a simple fastAPI application that can be run as a service of the Hub:

c.JupyterHub.services = [
    {
        "name": "jwt",
        "url": "http://localhost:1984/",
        "display": False,
        "command": ["fastapi", "run", "--port", "1984", "/egi-notebooks-hub/egi_notebooks_hub/services/api_wrapper.py"]
    }
]

What's missing:

  • avoid hardcoding configuration (paths, ports, ...)
  • maybe caching of tokens
  • dealing with refresh tokens

Related issue :

enolfc added 12 commits May 22, 2024 16:20
@enolfc
Getting to read the token
03b77b3
@enolfc
Getting closer
2c65a77
@enolfc
Just linting
c68bacf
@enolfc
JWT authentication improvements
c3dfca2
@enolfc
An attempt to wrap the API with JWT
6c7716b 
Lots of hardcoded stuff and assumptions, but works as expected. It can
be run as a service with a config like this
```
c.JupyterHub.load_roles = [
    {
        "name": "jwt",
        "scopes": [
            "read:users:activity",  # read user last_activity
            "servers",  # start and stop servers
            "admin:users",  # needed if culling idle users as well
        ],
    },
    {
        "name": "user",
        "scopes": ["access:services", "self"],
    },
]

c.JupyterHub.services = [
    {
        "name": "jwt",
        "url": "http://localhost:1984/",
        # any secret >8 characters, you'll use api_token to
        # authenticate api requests to the hub from your service
        "api_token": "super-secret",
    }
]
```

and then start the service:
```
fastapi dev --port 1984 api_wrapper.py
```
@enolfc
Improve linting
7416917
@enolfc
Removed unneeded function
2167654
@enolfc
Generalise for all HTTP methods
af743e2
@enolfc
Raise 403 when appropriate
2a32721
@enolfc
Better error handling
3fe2920
@enolfc
Adjust the duration of tokens
1a2a533 
Also remove some unneeded code
@enolfc
Remove dangling code
3a0a7cf
@enolfc enolfc marked this pull request as ready for review June 11, 2024 13:54
@enolfc
Copy link
Contributor Author

enolfc commented Jun 11, 2024

This is ready for a first review and then deployment in devel/staging. We can refine it later as we test it out.

andrea-manzi
andrea-manzi approved these changes Jun 13, 2024
View reviewed changes
Copy link
Contributor

@andrea-manzi andrea-manzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll leave the testing to Frantisek , but it looks very good to me! ( with the limitations that you have already mentioned)

@enolfc
Copy link
Contributor Author

enolfc commented Jun 14, 2024

I'm merging so we have new docker images and we can properly test

@enolfc enolfc merged commit bf01309 into EGI-Federation:main Jun 14, 2024
3 checks passed
@enolfc enolfc deleted the jwt branch June 14, 2024 07:57
@enolfc enolfc mentioned this pull request Jun 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrea-manzi andrea-manzi andrea-manzi approved these changes

@valtri valtri Awaiting requested review from valtri

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@enolfc @andrea-manzi