Closed psFried closed 1 year ago
As I got into the implementation, I realized there were a few things that needed to be changed.
Set-Cookie
header needs to come from the specific domain of the task endpoint that the user is connecting to.
Browsers don't allow you to set a cookie from domain.com
with a Domain
attribute of sub.domain.com
. So the DPG
/auth-redirect
handler is now accessed under the endpoint-specific hostname, e.g. https://abc123-8080.dataplane.estuary-data.dev/auth-redirect
.
Of course a container could technically have its own /auth-redirect
handler, so DPG only routes the request to its own handler if the request is unauthorized.Set-Cookie
to come from the main data-plane domain in the first place was to avoid the token
url parameter from being sent as part of the Referer
header. It turns out, the default Referrer-Policy
of strict-origin-when-cross-origin
already avoids this scenario. The Referer
will only include the origin (not the path).__Host-flow_auth
, which tells the browser that the cookie must not have a Domain
attribute. In other words the cookie is always scoped to a single endpoint.So the revised summary is:
https://abc123-8080.dataplane.estuary-data.dev/foo.html
__Host-flow_auth
cookie, and allows using that to authenticate requests to private ports. Uses the same data-plane JWT we do todaydashboard.estuary.dev
, passing the requested auth scope and a redirect url as query parameters.
dashboard.estuary.dev/data-plane-auth-req?prefix=$taskName&orig_url=https://abc123-8080.dataplane.estuary-data.dev/foo.html
/data-plane-auth-req
page to the UI, which requires the user to login to dashboard.estuary.dev
and ultimately redirects back to DPG.
prefix
.$orig_url
is a subdomain of the gateway_url
that's associated with the given prefix
. This is to prevent malicious links from sending the token to naughty servers.${orig_url.host}/auth-redirect?orig_url=$orig_url&token=$jwt
/auth-redirect
handler that takes the token
and orig_url
and returns another redirect to the orig_url
Set-Cookie
header, setting __Host-flow_auth
to the value of the token
from the URLestuary/ui#526 is a related UI PR, which implements the /data-plane-auth-req
page, and also displays exposed endpoints in the UI so that users can find them easily.
The goal is to make it so that users can just click a link for a private port and be taken through the authentication flow automatically. Here's the plan for how that can work:
__Secure-flow_auth
cookie, and allows using that to authenticate requests to private ports. Uses the same data-plane JWT we do todaydashboard.estuary.dev
, passing the requested auth scope and a redirect url as query parameters.dashboard.estuary.dev/data-plane-auth-req?catalog_name=$taskName&redirect_to=${dataplane.estuary-data.dev/auth-redirect?orig_url=$originalUrl}
dashboard.estuary.dev
and ultimately redirects back to DPG.dashboard.estuary.dev
?/auth-redirect
handler that takes thetoken
andorig_url
and returns another redirect to theorig_url
Set-Cookie
header, setting__Secure-flow_auth
to the value of thetoken
from the URLDomain
attribute set to the full subdomain of the specific task that they are accessing./auth-redirect
handler uses the base data-plane hostname, not the hostname for the specific task.