File download and display does not work with oidc

[juckerf]

Description

Is: When logged in via openid connectn and trying to download a node or to display an "embedded" file (image, video, audio etc.) an HTTP Authentication prompt is shown. The corresponding HTTP GET requests returns a 401 code.

Should: The file is downloaded respectively displayed in the webinterface.

balloon web client version

3.0.1

balloon server version

2.1.3

Your client operating system

Linux Mint 18.2 (tested with OS X and Windows too)

Your browser

Firefox 62.0, Chrome 69.0.3497.100

[juckerf]

In src/lib/core.js on lines 5692 and 6613 seems to be a typo. https://github.com/gyselroth/balloon-client-web/blob/350d6a41d51d3b1e4740578473fb22360b82fe5c/src/lib/core.js#L5692 https://github.com/gyselroth/balloon-client-web/blob/350d6a41d51d3b1e4740578473fb22360b82fe5c/src/lib/core.js#L6613

!login.getAccessToken() should be login.getAccessToken() , I guess, to pass the access_token to the api via URL

[juckerf]

additionally it doesn't look like the balloon server handle the access_token query param and passing the token via url is not recommended by the oauth specs anyway (https://tools.ietf.org/html/rfc6750#section-5.3) (it's probably better to fetch the content via ajax and then display it/"download" it on the client side or something)

[juckerf]

(it's probably better to fetch the content via ajax and then display it/"download" it on the client side or something)

would be possible with Blob-API (https://developer.mozilla.org/de/docs/Web/API/Blob) but has several limitations (browser support, size limits etc.). Another solution would be to generate expiring tokens for specific files (see Paragraph 5 in https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/), which is more or less already implemented with share link

[juckerf]

implemented minimal PoC (far from perfect) for this stateless ticket mechanism (server and client side) in https://github.com/juckerf/balloon/tree/issue_87 and https://github.com/juckerf/balloon-client-web/tree/issue_87

[raffis]

Yes Blob api will not work since most browsers store the data in memory and this will not work for big files. The only thing which will probably work in the future is a WriteableStream to the local filesystem:

• https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream#Browser_compatibility
• https://developer.mozilla.org/en-US/docs/Web/API/WritableStream#Browser_Compatibility
• https://github.com/jimmywarting/StreamSaver.js

But this is mostly not supported yet.

Your PoC sounds good but there are several issues:

• Handle batch zip download (Select of multiple nodes and stream a zip on the fly)
• If the access token has a short lifetime, this could be reached before the whole file is streamed to the client (if chunked download is requested)
• Your PoC is actually mostly implemented by the WOPI implementation in Balloon.App.Office. Theoretically we could use this implementation (Just need to be extended that collections (zip) will work as well), but the first problem (batch zip on the fly is a problem as well)
• And in general it sounds a bit fishy to exchange an access_token just to get another access_token for another api endpoint

It is not forbidden (https://tools.ietf.org/html/rfc6750#section-2.3) by the oauth spec to use access_token in uri as query string. Yes it is definitely a security issue but for this issue there is no good workaround (yet).

I have released v0.0.7 of micro-auth which can authenticate an incoming request if the token is passed via query string for the time being but will leave this issue open for now.