Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OAuth2 authentication (57) #87

Merged
merged 4 commits into from
Mar 11, 2021
Merged

Add OAuth2 authentication (57) #87

merged 4 commits into from
Mar 11, 2021

Commits on Mar 11, 2021

  1. Add security dependencies 

    * python-multipart: Required for FastAPI to process form data
* python-jose[cryptography]: Create JSON Web Tokens (JWTs) for use as
  OAuth2 access tokens
* passlib[argon2]: Create and validate salted hashes of passwords
    @jwhitlock
    jwhitlock committed Mar 11, 2021
    Configuration menu
    Copy the full SHA
    8bd4db1 View commit details
    Browse the repository at this point in the history

  2. Add API client table

    @jwhitlock
    jwhitlock committed Mar 11, 2021
    Configuration menu
    Copy the full SHA
    500f155 View commit details
    Browse the repository at this point in the history

  3. Add OAuth2 client credentials grant 

    Add a /token endpoint that implements the OAuth2 client credentials
grant process. A caller passes a client_id and a client_secret, either
in the form body or a header, and gets an OAuth2 token that expires.
The token is implemented as a JSON Web Token, signed by the server (HMAC
with SHA-256). When the token expires, the client calls /token again.

All API endpoints now require a bearer token. The Swagger API docs
include a mechanism for authenticating in the browser.

This adds new application settings:

* CTMS_SECRET_KEY - A long string used in JWT signing. There is a
  default for development, and it should be unique for each deployment.
* CTMS_TOKEN_EXPIRATION - How long, in seconds, that access tokens are
  valid. Default is 60 minutes.
    @jwhitlock
    jwhitlock committed Mar 11, 2021
    Configuration menu
    Copy the full SHA
    7e2f7a2 View commit details
    Browse the repository at this point in the history

  4. Add client_credentials.py 

    This script is used to generate API client credentials. It takes a short
name to identify the client and a contact email, and generates a
client_secret. It prints out the details of the credentials, which can
be sent to the requester.

It can also be used to update an existing API client, including updating
the email address and disabling the credentials.
    @jwhitlock
    jwhitlock committed Mar 11, 2021
    Configuration menu
    Copy the full SHA
    2d65674 View commit details
    Browse the repository at this point in the history