search

lacuna-tech / mds-core

Repo for LADOT MDS implementation for contribution to the Open Mobility Foundation
Apache License 2.0
13 stars 9 forks source link

Basic Authentication with scopes #956

Closed jschirrmacher closed 2 years ago

jschirrmacher commented 2 years ago

In mds-api-authorizer a "Basic" authorization scheme is implemented which allows users to send scopes, encoded as base64. While this might help when testing the software, it seems to me to be a problem in a production environment. Is there anything I've overseen that prevents users to create Basic Auth tokens themselves and read and write data which they normally don't have permission to?

avatarneil commented 2 years ago

Hi @jschirrmacher,

The API Authorizer is meant to be just that, an authorizer versus an authenticator. Prior to tokens making it to the api-authorizer layer, they should be getting evaluated against an authentication services (e.g. Auth0) by a proxy layer (istio for example) to ensure that tokens are still active, and were issued by the expected auth service. If tokens are authenticated prior to being authorized, then those tokens are guaranteed to not have been issued by users of a malicious actor (unless the authentication keys were compromised).

Does this answer your question?

jschirrmacher commented 2 years ago

Thanks for your explanation @avatarneil, this actually answers my question.