Uploaded image for project: 'GPII - Global Public Inclusive Infrastructure'
  1. GPII - Global Public Inclusive Infrastructure
  2. GPII-3719

Enhance data model to encode new grant types and security restrictions for keyless logon

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      After we have determined our new OAuth grant type for GPII-3716, we will need to enhance the GPII App Installation Clients table (an old diagram is available at https://wiki.gpii.net/w/Keys,_KeyTokens,_and_Preferences ) in order to encode, for particular installations, at least, the following minimal information - 

      i) That the new OAuth grant type should be in effect for sessions secured by access tokens granted to clients presenting a matching machine secret/client credentials

      ii) An encoding of the IP blocks of the clients entitled to make such requests - this will probably consist of an array of CIDR blocks (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing ) from which we will accept requests.

      iii) An encoding of the settings which should be permitted to be written under via keyless login. These will be updated from time to time but should include at a minimum all those which can be written via the QS and exclude any for which our schemas either don't exist or don't restrict the space of settings to a small bounded range.

      The access token generator, on receiving a matching request, will check the originating IP against the entries in the table, and reject the request if it does not match.

      We will probably do this via some "subtyping" relation so that the existing schema does not need to be migrated - it may be sufficient to do this via the presence of the new OAuth grant type encoded in the record or we may need a further subtype field.

      Given these amount to "authentication methods" we need to consider whether they will just be thrown into the Installation Clients table itself, or whether we need to coordinate with the extra tables that will be created for username/password secured login via GPII-1280 [ find better JIRA]. 

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cli@ocad.ca Cindy Qi Li
              Reporter:
              amb26 Antranig Basman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: