additional session data for dynamic authorization for publish subscribe

#1

Hi, I’m evaluating crossbar/WAMP for an upcoming project. Now i have two parts of authentication and authorization:

  1. WAMP/Crossbar
  2. within the application
    In 1) i have to authenticate and authorize any client within my distributed app, booth server side components which provide the app logic and the clients that use them (mobile app, webapp, …). I would like to use certificate based authentication at this point to authenticate components A, B, … and then use dynamic authorization based on their auth-id to allow/deny registering new methods. The client app authenticates with certificates too and may call any (or most) methods provided by the components.

In 2) any remote method must check if a caller provides authentication credentials (in my case a token) and then check if the caller has permissions to perform this action (e.g. requesting a certain file that is protected and must only be accessed by certain users).

I would like to use this architecture mainly because just checking if a client may call a method does not provide enough security (e.g. any user may use the get_file() method but only get files he is allowed to read). As second this provides me with a strict separation of app level users and their permissions and the components involved in my distributed system (e.g. Mobile-App, Administrative-App, File-Management-Component, Permission-Component, …). The later suits very well for a system extensible through third party components that provide some extra functionality too.

Unfortunately then i’m running into problems with the publish subscribe model. As crossbar handles subscribe and publish permissions on the wamp level i can’t grant or deny access to subscribing a topic like .private.example.com which is only for one specific (app level) user.

Is there any way to provide/access additional information in dynamic authorization? As far as i see from the documentation i only get the session, the uri and the action a (wamp level) client wants to invoke, but the session object only holds information on the wamp level authentication id (e.g. Mobile-App). But i would need to provide an additional app-level token which is then used to grant or deny access to the topic. Is there any way to do this?

cheers sieben

0 Likes

#2

Hi Sieben

My question for you would be: Why is this song and dance with the token necessary?

Consider using an alternate system where information available to decide whether or not a given authenticated session authid making a call/registration/subscription/publish is available to the dynamic authorizer by simply using the authenticated authid to look-up permissions information from some data storage system (E.g. a RDBMS) that contains the details of what permissions are available to what authid.

If you absolutely have to pass some kind of token in to the dynamic authorizer then you will have to stick it in the URI.

But honestly, the kind of token-passing you describe is a scenario more applicable to classic RESTful web applications running on pure HTTP (which is stateless by default) rather than WAMP-based web applications running on WS (which is persistent and stateful)

0 Likes

#3

Hi Adam,

the solution using the session authid is basically what i thought about last night after writing the post.

I have to use the ticket based authentication/authorization because i have to integrate into an existing token based auth service. The way to go would be to store a relation between a token/user referenced on the existing auth service and the wamp session auth id and then use this for authorization. Doing this i could use the stateful wamp auth instead of using a token on every request just as you said.

Still i would like to use certificate based authentication for components in addition to the (then one time at joining) token authentication for clients. Does Crossbar support to use multiple authentication methods in one installation?

0 Likes

#4

Hi Sieben

Crossbar does support multiple authentication methods but I’m not sure it’s what you’re after. I use multiple authenticators for a two-step authentication process involving OTPs but I don’t think this is what you want.

It is possible to implement a dynamic TLS certificate based authenticator. See the https://github.com/crossbario/crossbar-examples/tree/master/authentication/tls/dynamic example. I think you can build on this and take advantage of the authextra field available on the details parameter supplied to the authenticate end-point in order to pass the token in with the authentication call. Then authenticator can then check the certificates and also check and store the token, allowing you to access it later in the dyanmic authorizer using the authid to retrieve it.

Cheers

Adam

0 Likes