(re-send after joining the core list) Chris & Bryan,
On 04/30/2014 10:58 AM, Bryan Davis wrote: > I would advocate designing all services such that they are ready to be > used externally even if they are initially firewalled or proxied. I > agree that making "internal only" service interfaces is much easier > but over the longer term it becomes very likely that some things that > were built to be internal only will be found to be useful to expose > directly to the outside world. In my experience it is much trickier to > graft a robust auth layer onto a service that already has multiple > internal consumers than it is to build this feature into a service > from the start. I completely agree with this. Relying on consistent access right checking in a variety of front-ends is a brittle solution. Any exploit in one of those front-ends has potentially nasty consequences. Here is a sketch of an authentication system that's a bit more robust, and potentially also more efficient: * the authentication service is the only service with access to passwords and other sensitive user info * users retrieve signed and time-limited tokens from the authentication service, for example using OAuth2; these could be transmitted using HTTP-only cookies * most other services have no built-in privileges; they merely pass on tokens provided by users to backend services. This reduces the risk of confused deputies and helps to limit the potential impact of exploits. * tokens ideally encode the most common rights and are signed (example: JSON web tokens in Oauth2). This allows backend services to verify their validity by checking the signature & time without needing to call back into the authentication service. More complex rights are handled by calling back into the auth service. * all authenticated client connections are encrypted with TLS I have started to draft an RFC on this at [2]. Please chime in if you are interested. Gabriel [1]: https://www.mediawiki.org/wiki/Requests_for_comment/Content_API [2]: https://www.mediawiki.org/wiki/Requests_for_comment/SOA_Authentication _______________________________________________ MediaWiki-Core mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-core
