Project

General

Profile

Actions

Story #4919

open

[API] Arvados clients can use standard OAuth2 protocol instead of custom token handling mechanism

Added by Peter Amstutz almost 10 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
2.0

Description

While the API server uses OAuth2 to authenticate with the SSO server, Workbench does not use OAuth2 to authenticate with SSO directly, but instead follows a custom login flow that authenticates the user on API server with SSO, and then returns an API server token to workbench via a query parameter in a redirect URL.

https://tools.ietf.org/html/rfc6750 section 5.3:

Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be
passed in page URLs (for example, as query string parameters).
Instead, bearer tokens SHOULD be passed in HTTP message headers or
message bodies for which confidentiality measures are taken.
Browsers, web servers, and other software may not adequately
secure URLs in the browser history, web server logs, and other
data structures. If bearer tokens are passed in page URLs,
attackers might be able to steal them from the history data, logs,
or other unsecured locations.

Also, section 2.1:

OAuth2 specifies that the Authorization header using access tokens is "Authorization: Bearer XYZ" ( not "Authorization: OAuth2 XYZ" (which we use now)

Actions

Also available in: Atom PDF