[jira] [Commented] (OFBIZ-12033) Separate login service for API calls

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12033) Separate login service for API calls

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306585#comment-17306585 ]

Michael Brohl commented on OFBIZ-12033:
---------------------------------------

Hi [~gvasmatkar] ,

I have now checked again and I am still unsure about the authentication mechanism.

I have taken any user login (demoemployee in this case) and can get an authentication token to use the REST API with his credentials. I can then use the findProductById service through REST and have access to the product data.

If I login to the webtools with this user, access is restricted to only the party and humanres components. I have no access to the catalog manager and products.

I think we should have *strict authentication* to access the REST API (endpoints or sets) through explicit permissions. A user must *explicitly* be allowed to access a specific API set to be able to authenticate and get an access token *for the specific API set only*.

That also means that we cannot use the /auth/token APi without context. It should only be used within the API context like

/webshop/v1/auth/token

/my-api/auth/token

etc.

The API then has to check if the user is allowed to use /webshop or /my-api before it generates an access token. The access token should only be valid for the API it is generated for.

That means, if I get a token with /webshop/v1/auth/token this cannot be used for /my-api.

If we can agree on this, the next steps would be to be able to show different Swagger UI's for every API set and have the /auth/token request repect the context it is used in.

What do you think? Does it make sense to you?

I would also appreciate others to join the discussion and get opinions from different perspectives.

> Separate login service for API calls
> ------------------------------------
>
>                 Key: OFBIZ-12033
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12033
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>            Reporter: Girish Vasmatkar
>            Assignee: Girish Vasmatkar
>            Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to authenticate users before generating auth tokens for REST API and GraphQL calls. However, we figured that a session is also getting created and returned in response which is defeating the purpose of having an API in place. Even though that session is not getting used anywhere when subsequent calls are made using the token, we still think it is an extra session lying around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service (basicAuthUserLogin) that would just do username/password matching and be done with it without ever calling request.getSession(). This will ensure that APIs are stateless and no session is generated.{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)