Comments (6)
JSON HAL does not describe the authorization of resources only their references between. But I think its a good to have it.
from rho.
@bryce-anderson Authorization has come up again in #158, and I too need some support for it. I would love to help out but could use some guidance as to how it should be implemented.
Some random thoughts/note here:
- It would appear that HAL doesn't do anything with Authentication/Authorization so no need to worry about it.
- The swagger 'security' models appear to be implemented in rho/swagger/src/main/scala/org/http4s/rho/swagger/models.scala but swagger middleware doesn't extract any auth info.
- Swagger supports 3 kinds of authentication: OAuth, Api Key, Basic Authentication
- Swagger supports 1 kind of authorization: Scopes
So where to start?
- Forget swagger for now and add support for HTTP4s Auth middleware as a stop gap until we can get proper authorization?
- Create an AuthedRhoService that uses an AuthedRequest instead of a Request object? The AuthedRhoService could specify the security definitions for the service and each request could have a auth and/or 'scopes' extractor on the Route to specify the required scopes or validate the api-key for that route?
- Just add an extractor like 'Headers' and PathVars work now, but adds the authentication metadata for swagger and a parameter to the Action that contains the User/API_key what have you.
Thoughts?
from rho.
I'm somewhat partial to the 3rd one, since you could mix Authed and Unauthed routes in one service. Unfortunately it wouldn't share much with how HTTP4s does authentication since we have to keep the metadata.
from rho.
In my minds eye, it would be super useful to allow whole services to be protected at once, but I also don't think this should be mandatory and am not sure how that information would be surfaced to the action.
For the route by route case, I imagine it reasonably easy to be able to make a construct to the tune of
val authenticate: RoutingEntity[T] => RoutingEntity[Auth::T] = ???
val authedRoute = authenticate ( GET / "thesecrets") |>> { auth: Auth => ??? }
which I think is essentially your 3rd strategy and a new class of AuthRules. What type of interface did you have in mind?
A very vague and potentially confusing/spooky idea is to expand the HListToFunction
and Action
types to be authentication/authorization aware. Another downside is this plan that makes security action based but its often safer to think of it as routing based since even knowing the presence of a resource can be considered a security leak.
from rho.
I imagined something not too far off from what your suggesting, might just need to experiment with a couple solutions.
As for the change to HListToFunction, I think it would be enough if the 'authenticate' method added a parameter the function takes instead of changing HListToFunction to be auth aware. I personally think the authentication should be route based, mostly so we can get some data into swagger.
from rho.
Looks like a big change with alternative methods for AuthedRequest all the way. Any workarounds for this? I need to mix AuthedService and RhoService. :(
from rho.
Related Issues (20)
- Provide example using the Swagger UI Webjar HOT 1
- Got Error with http4s-scala-xml HOT 2
- NoSuchMethodError from rho 0.20.0-M1 HOT 2
- StringParser for value classes HOT 4
- Broken Links/URLs in `README.md` in branch `master` HOT 1
- Where is RhoService? HOT 2
- Feature Idea: Serving swagger in YAML
- Feature Idea: Customisable generic type names
- Is it possible to disable swagger.json endpoint and generate a plain json?
- Release v0.21.0 with swagger webjar implementation HOT 2
- Simple or-path produces incorrect tags HOT 1
- Getting 405 Method Not Allowed from combined routes HOT 3
- Demo example doesn't work HOT 1
- Non-class Scala types break TypeBuilder
- Logger Options in RhoRoutes
- Publish scala 3 artifacts HOT 3
- Getting 405 Method Not Allowed from combined routes with authentication
- Assembly doesn't like CollectionConverters
- Http4s, Scala, and main dependencies update HOT 3
- Maintainers wanted HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rho.