This page outlines the planned approach to Grouper authentication in Grouper 2.5 and above.
First off, whatever authn you use for Grouper UI and WS will still be available. i.e. if you are using shib and LDAP WS authn, then most of this won't apply to you (only the section on restricting source IP address)... However...
We need a better built-in WS authentication method than basic auth
- Passwords not stored in clear text in tomcat-users
- Passwords not transmitted on the wire
- We need something not tomcat specific
- Tomcat config files are painful to automate the use/removal of
- Ability to filter the source address for WS
We need easier quick starts and bootstraps in UI/WS
Password table in Grouper: grouper_password
Note, even if Grouper is not doing authn, it could still restrict the source address. For WS, any authns would get a record inserted or updated here
Column | Type | Description |
---|---|---|
id | varchar (40) | uuid of this entry (one user could have ui and ws credential) |
username | varchar (255) | username or local entity system name |
type | varchar (20) | username or localEntity |
is_hashed | varchar (1) | T for is hashed, F for is public key |
encryption_type | varchar (20) | e.g. SHA-256 or RS-256 (key type) |
the_salt | varchar (255) | secure random prepended to hashed pass |
the_password | varchar (4000) | encrypted public key or encrypted hashed salted password |
ws_or_ui | varchar (2) | ws (includes scim) or ui |
allowed_from_cidrs | varchar (255) | network cidrs where credential is allowed from |
recent_source_addresses | varcahr (4000) | json with timestamps |
failed_source_addresses | varchar (4000) | if restricted by cidr, this was failed IPs (json with timestamp?) |
last_authenticated | timestamp | when last authenticated |
last_edited | timestamp | when this was last edited |
failed_logins | varchar (4000) | json of failed attempts |
JWT table recently used in Grouper: grouper_password_recently_used
A process would clean these out after the configured drift (10 minutes)
Column | Type | Description |
---|---|---|
jwt_jti | varchar (100) | e.g. uuid of this entry (sent from client) |
jwt_iat | integer (11) | seconds since 1970 that this was issued |
Manage passwords
UI for admins to set a user's (or local entity's) UI password or could restrict source IP cidrs. UI passwords would need to follow strength rules
UI for admins or end users (self serve) to download a new generated WS private key or password for a local entity they can ADMIN or restrict source IP cidrs
- Someone who can create in a folder (and optionally in a group who can create WS credentials)
- Create a local entity
- Download its password or private key (can only download once)
- Grant privs to the local entity
- Use it in WS calls
Admins and end users can not view or re-download passwords or private keys
Basic authn built in to Grouper
If configured (for quick start only), the UI could use basic auth and use passwords configured for users
Its possible users could reset their password using their old password to authenticate.
Passwords for WS
Your LDAP or Kerberos or apache or tomcat authn would still work. Its possible there could be multiple allowed... i.e. to transition into local entity JWT authn. Depending on configuration.
Private key signed JWT would be recommended with WS, or required at some sites. Source IP's could be required too
- Username is the system name of the local entity
- Private key is a generated by Grouper and downloaded once
- This is not sent across the wire in WS calls
JWT details
- To authenticate with JWT the client would
- Generate a valid jwt jti (e.g. uuid)
- Have the correct time within configured drift (10 minutes?), get the seconds since 1970 (GMT)
Send a "Bearer" authorization header sfdlh23kjh.kjhsdfkjhsf.kjh345kjhkjh (three parts separated by dot)
First part is the header is base64 url encoded
{ alg: "RS-256", typ: "JWT" }
The second part is what makes the token unique and identifies the user
- jti is a unique value per request (across clusters), cannot be re-used. e.g. a uuid
- username is: system name of local entity
- iat: Number of seconds since 1970 (that the ticket is issued), the number received on server needs to be within the allowable time drift
{ jti: "abc123", username: "org:businessSchool:credentials:wiki", iat: 1234567 }
- Thus the same request cannot be replayed