Feature Proposal

Spec Version 0.2.0

Context

Problem

Describe the problem that is tackled in this issue

The student needs to be authenticated when using the online IDE. Especially for the exam mode, it is important that the user is not able to share his session link with someone else so that this person works in his place and attempts cheating. The VSCode plugin inside of the Online IDE needs an authentication token to access the problem statement and other components of the Artemis website. Two problems therefore arise:

Any token/credential saved in the Theia context can leak to third-parties authorized to access the session
Without authentication in Theia, we don’t know how many users are working together and submit using a reverse-proxy-like setup.

In addition, we don't want another login process where the user has to enter his credentials again. Opening the online IDE should be seamless and provide a fast entry.

The git cloning via HTTP or SSH imposes a secondary problem. The Theia session has to be able to clone and push to the student's exercise repository. If we clone the repository with HTTP the user would have to enter his credentials again. For SSH, we would have to generate an SSH on each Online Session start-up and link its public key to Artemis.

Motivation

Describe the motivation WHY the problem needs solving. Specify the affected users/roles.

Requirements Engineering

Existing (Problematic) Solution / System

What is the current solution (if there is one)? What is the problem with the current solution? You may include a UML Model here

Currently, Artemis uses JWT to authenticate its user. The JWT token is stored as an HTTPOnly cookie and can not be read in JS. Even if it were not HTTPOnly, hijacking that token would not be good practice, as a token should only be used for one service and not be shared. Therefore a new token for the online IDE and for the plugin should be generated. JWT is not built to generate additional tokens seamlessly.

Proposed System

What would the ideal solution look like?

To protect a theia session and guarantee seamless authentication we would integrate OIDC into Artemis. This allows generating a new token on session start up. Authentication users with OIDC before granting them session access generates traces at the KeyCloak OID-Provider allowing fraud detection just like the existing session monitoring

With OIDC:

1 Token in Artemis Website
1 Token in Theia for Instance Access
1 Token in VSCode Plugin for Artemis Access

For the cloning of repositories we propose a token based cloning. Theia would then be provided with such a token and the user would not have to enter his credentials again. Open:

how to securely pass this token to theia session?
if user passes this git token to someone else, can they submit without being detected?

Requirements

Describe the Functional and Non-Functional Requirements of the feature. Stick to the INVEST methodology!

FR: : <Description> </p> </li> <li> <p>NFR: <FURPS+ Category>: <Title>: <Description></p> </li> </ol> </blockquote> <h2>Analysis</h2> <h3>Analysis Object Model</h3> <blockquote> <p>What are the involved Analysis Objects? </p> </blockquote> <h3>Dynamic Behavior</h3> <blockquote> <p>Include dynamic models (Activity Diagram, State Chart Diagram, Communication Diagram) here to outline the dynamic nature of the PROBLEM </p> </blockquote> <h2>System Architecture</h2> <h3>Subsystem Decomposition</h3> <blockquote> <p>Show the involved subsystems and their interfaces. Make sure to describe the APIs that you add/change in detail. Model the DTOs you intend to (re)use or change! </p> </blockquote> <h3>Persistent Data Management</h3> <blockquote> <p>Describe the Database changes you intend to make. Outline new configuration options you plan to introduce Describe all other data persistence mechanisms you may use.</p> </blockquote> <h3>Access Control / Security Aspects</h3> <blockquote> <p>Describe the access control considerations for your feature</p> </blockquote> <h3>Other Design Decisions</h3> <blockquote> <p>Potential topics to discuss here include: WebSockets, testing strategies.</p> </blockquote> <h2>UI/UX Design</h2> <blockquote> <p>Screenshots of the final UI mockups (mandatory): Please include screenshots to provide a clear and persistent visual reference of the design. Link to the design mockup (optional): Additionally, you may include a link to the live design mockup (e.g., Figma, Sketch) for a more interactive view. Note that this link is supplementary and should not replace the required screenshots.</p> </blockquote> <h2>Open to discuss</h2> <ul> <li>if Theia has HTTPOnly token, can this token be used in the plugin? Is it maybe even automatically appended for each request of the plugin?</li> </ul> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/krusche"><img src="https://avatars.githubusercontent.com/u/744067?v=4" />krusche</a> commented <strong> 5 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>JWT is not built to generate additional tokens seamlessly.</p> </blockquote> <p>I do not agree with this statement. Users can login on multiple browsers, each time a new JWT token is generated. So in some sense, you could argue that one user can have arbitrary many JWT tokens at the same time.</p> <p>The Artemis client / browser stores the token in the cookie so that links to attachments can be shared and opened in separate tabs without the web application being active. </p> <p>However, this mechanism is not set in stone. If there is a specific requirement to change it, we can discuss it.</p> <p>Another alternative would be to host the client part of the Online IDE using the same URL as the Artemis instance based on a micro frontend approach. Then, the online IDE could directly access the JWT token within the cookie.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

ls1intum / Artemis

Secure Authentication for Online IDE #8763