1. Cf-Dev
  2. Messages

Re: [abacus] Securing REST endpoints using OAuth bearer access token

Jean-Sebastien Delfino
 

Exactly. We're already using the jsonwebtoken [1] library for the handling
of JWT tokens. The work we've been discussing here is more about
integrating that token validation and the authorization logic in the rest
of our code, and in particular where do we hook the token validation,
before or after our incoming request validation code?

For a more comprehensive authentication solution (which we've not really
started to work on), I'd suggest to look at a library like Passport [2] for
example which works well with the Express framework we're using and comes
with all kind of authentication strategy plugins, incl. support for JWT
with these plugins [3] for example.

[1] https://www.npmjs.com/package/jsonwebtoken
[2] https://www.npmjs.com/package/passport
[3] https://www.npmjs.com/search?q=passport+jwt

- Jean-Sebastien

On Wed, Sep 30, 2015 at 5:30 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

I wouldn't recommend writing this library by hand when there are plenty of
libraries to pick from.

Take a look at "Client libraries" at
http://oauth.net/2/

and there are plenty more.

On Wed, Sep 30, 2015 at 3:58 PM, Saravanakumar A Srinivasan <
sasrin(a)us.ibm.com> wrote:

I am working on implementing (see Github commit at [1] for more details)
an Express middleware to authenticate incoming requests using OAuth bearer
access token. We want to make sure our implementation follows the OAuth 2.0
Authorization Framework specification[2] when processing client requests.

While reading the specification I came across a section[3] where the spec
lists error codes to use when we get an invalid request. In there, the
invalid_request error code seems to suggest that we need to validate
required request parameters for a particular request before we authenticate
the user and return HTTP response code 400 with appropriate error code and
error message. It also mentions that we need to return HTTP response code
401, when a request does not contain any authentication information. So it
sounds odd for me to validate the request parameters before we validate the
authentication of the request.

Any thoughts?


[1]
https://github.com/cloudfoundry-incubator/cf-abacus/commit/cbadf4f287dd6930321b6332a54f388fb51e2524
[2] http://tools.ietf.org/html/rfc6750
[2] http://tools.ietf.org/html/rfc6750#section-3.1

Thanks,
Saravanakumar Srinivasan (Assk),

Bay Area Lab, 1001, E Hillsdale Blvd, Ste 400, Foster City, CA - 94404.
E-mail: sasrin(a)us.ibm.com
Phone: 650 645 8251 (T/L 367-8251)

attachment.html

attachment.html

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.