Uploaded image for project: 'GPII - Global Public Inclusive Infrastructure'
  1. GPII - Global Public Inclusive Infrastructure
  2. GPII-3719

Enhance data model to encode new grant types and security restrictions for keyless logon



    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      After we have determined our new OAuth grant type for GPII-3716, we will need to enhance the GPII App Installation Clients table (an old diagram is available at https://wiki.gpii.net/w/Keys,_KeyTokens,_and_Preferences ) in order to encode, for particular installations, at least, the following minimal information - 

      i) That the new OAuth grant type should be in effect for sessions secured by access tokens granted to clients presenting a matching machine secret/client credentials

      ii) An encoding of the IP blocks of the clients entitled to make such requests - this will probably consist of an array of CIDR blocks (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing ) from which we will accept requests.

      iii) An encoding of the settings which should be permitted to be written under via keyless login. These will be updated from time to time but should include at a minimum all those which can be written via the QS and exclude any for which our schemas either don't exist or don't restrict the space of settings to a small bounded range.

      The access token generator, on receiving a matching request, will check the originating IP against the entries in the table, and reject the request if it does not match.

      We will probably do this via some "subtyping" relation so that the existing schema does not need to be migrated - it may be sufficient to do this via the presence of the new OAuth grant type encoded in the record or we may need a further subtype field.

      Given these amount to "authentication methods" we need to consider whether they will just be thrown into the Installation Clients table itself, or whether we need to coordinate with the extra tables that will be created for username/password secured login via GPII-1280 [ find better JIRA]. 


          Issue Links



              cli@ocad.ca Cindy Qi Li
              amb26 Antranig Basman
              0 Vote for this issue
              3 Start watching this issue