Implement OAuth-based authentication strategy

[Fohlen]

We should implement an OAuth-based authentication strategy on top of inexor-flex What I have in mind is:

• every flex server can provide a user domain
  • the requirements are a FQDN and a valid SSL certificate (e.g from let's encrypt)
• the server owner can issue accounts to users by a trait system he prefers (usually this is username/password-based)
• to authenticate, the user will issue an OAuth token from the authentication server via the authentication trait
• once the token is received, a challenge-based system can be used on another server to verify the users identity
  • server B asks server A (inexor.org) if I am fohlen at inexor.org
  • I tell server A that I am fohlen, using the previously fetched API token as a payload
  • server A ensures to server B that I am fohlen at inexor.org
  • handshaking done, I am logged in
• tokens should have a maximum TTL, I suggest approximately 1 hour
• in the default configuration, every server will trust * at inexor.org, however this being highly optional (the server admin can disable that at any time)

[Fohlen]

The FQDN problem could be solved as follows:

• we create an API server which handles a network domain, e.g inexor.network for us
• on first time, a server owner can register his/her node to the network with inexor-flex node register
• this will issue a new, randomly generated domain (e.g, UUID) random.node.inexor.network
• the domain's A (or AAAA) record will be updated to the requesters IP address
• now it can be used with Let's Encrypt to issue a SSL certificate for the domain
• along with the domain, you get a secret. This secret can be used again to change the record of the domain
• if you lose your secret, your node UUID will be lost
• an implementation of such a service could easily be done with Hetzner's API

Pro:

• every server automagically get's a DNS record
• we could offer alias domains at alias.inexor.network
• obviously, every server get's SSL, thumbs up
• spoofing in our network could be reduced. We can set up the DNS server to rate-limit all node.inexor.org domains to something like 20/h, which is a realistic amount. If one would try to resolve all real IP addresses of all servers on the list ...

Contra:

• we need to host it ourselves
• it will be an interesting piece of technology that's not been tried this way in open source ever before

(if you're wondering what this is? This is essentially a DynDNS provider)

[MartinMuzatko]

I'm trying to understand how this is related with an account system we might introduce with this.

For what do you authenticate? For the role you have assigned at a server? Meaning we have our own auth server and each server can deal with the different users?

How do you authenticate users? Does every user need to have an account? Please let me know of your thoughts @Fohlen

[Fohlen]

Hello @MartinMuzatko The authentication serves the following purpose:

• there should be several "layers" of flex usable for different users
• public API e.g should only be callable to retrieve e.g currently hosted servers (server list)
• "protected API" might add further functionality
• only admins should be able to write arbitrary content to the Flex Tree (-> Inexor)

Therefore we want users (of game servers usually) to be able to log in. OpenID is a good standard here.

[MartinMuzatko]

Can this also be used for something like a community hub or is this only meant for gameserver authentication? If we want users to authenticate with our content-server to publish and share their content, they don't necessarily need to be authenticated with a single game-server. Where we host the users content for easy sharing. If we are going to do this, I think we need an extra ticket in order to organize this, but I can imagine there are intersections between the authentication to a single gameserver and how a user exists spanning across all servers.

I don't know if this is on-topic and if this is what we are looking for. I tried to document our community intentions in the wiki: https://github.com/inexorgame/inexor-core/wiki/Game-Community#account--profile

[MartinMuzatko]

I think the idea is to create a decentralized authentication mechanism, rather than a platform. Will there be both maybe? Or how do we make something like our community features possible with the decentralized approach?

[Fohlen]

Well that's a different topic and it's handled by a separate ticket. Community aspect shall be handled by a decentralised p2p network on top of the individual servers (distributing the master list). In the end one should be able to login as account@nodeid on any other server in the network

[MartinMuzatko]

We started implementing on inexor-cloud: https://github.com/inexorgame/inexor-cloud This provides oAuth auth with external providers (github, twitter, google, etc) and JWT with local provider (register inexor account)

[Fohlen]

Can this be closed then?

[MartinMuzatko]

Yep :) closing now.

[MartinMuzatko]

There will be adaptions required in flex, since login is centralized. Should we allow a second tier between auth and no auth?

1. log in with inexor-cloud
2. log in with server only
3. no login