Is there any secure authentication mode in current open ETP server?
I know there are 3 authentication modes ("none", "builtin", "delegate=URL") in open etp server. The mode "none" is not secure because it does not verity the signature in the JWT token. The mode "builtin" is also not ready for production usage. It uses a fixed user name "foo" and user password "bar". It use a symmetric key for computing the JWT signature. The mode "delegate=URL" is not implemented. It is only described in the command line help.
Is there any secure authentication mode in current open ETP server? In the documentation, it says "On Azure, ETP supports authentication with a token.". I could not find the authentication solution of Azure for end users. It seems the Azure specific codes is only related to the service principal token when calling OSDU partition service API. One of the OSDU principle is it relies on third-party IDPs for managing users and issuing JWT tokens. If I get a JWT token from a third-party IDP, open ETP server should have a way to verify its signature. Some other OSDU services rely on istio framework to do the JWT token verification. I cann't find the similar processing logic in open ETP server.
The following codes is from alt_etp12_openkv_start method in ServerCmds.cpp. It has all the authentication modes.
// AuthN, i.e. Authentication
openkv::OpenKVAuthNMgr authN_mgr;
if (authN == "none") {
OES_WARNING(oes::core::Format("Warning: Authentication disabled.\n"));
authN_mgr = [&ctx](
const std::string& auth_hdr, auth::AuthDetails* p_details
) {
auth::AuthenticatedUser au;
// try to get the current user, for AuthZ later.
if (!auth_hdr.empty()) {
OES_WARNING(oes::core::Format("Warning: Authentication header ignored: --authN none\n"));
// We try decoding the header with a dummy JWT secret, that will fail
// of course, but give us the jwt_payload, to reparse that as JSON, and
// we look for the "username" key, i.e. the same "claim" as our JWT processing.
auth::AuthDetails local_details;
auth::AuthDetails& details = p_details? *p_details: local_details;
au = auth::AuthenticatedUser::decodeFromHeader(
auth_hdr, "jwt-secret", &details
);
auth::AuthType prev_type = au.type_;
if (!au.ok_ && !details.jwt_payload_.empty()) {
au = auth::AuthenticatedUser::decodeFromJson(
details.jwt_payload_, false, &details
);
au.type_ = prev_type; // otherwise eUnknown overrides eBearer
}
}
if (au.name_.empty()) {
au.name_ = "nobody"; // failed to get username from auth_hdr
}
au.since_ = std::chrono::system_clock::now();
au.read_only_ = false; // No authN, leave it to authZ (if any)
au.header_ = auth_hdr;
au.ok_ = true;
return au;
};
} else if (authN == "builtin") {
if (jwtSecret.empty()) {
OES_WARNING(oes::core::Format(
"Warning: No --jwt-secret: Bearer authentication disabled (Basic only).\n"
));
}
// TODO: Use Repo's users table, instead of hard-coded names below
std::string username = "foo";
std::string password = "bar";
openkv::OpenKVUserMgr user_mgr =
[usr = username, pwd = password]
(const std::string& username, const std::string& password) {
return (username == usr) && (password == pwd);
}
;
authN_mgr = openkv::builtinAuthMgr(user_mgr, jwtSecret);
} else {
assert(false);
return false;
}