-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication method for internal services #11
Comments
We should create endpoints for these specific actions (like creating/deleting service accounts) I am thinking of a logical organization of Developer account
|
I will be naming this feature |
In order to support this feature, we will be adding encrypted passwords as refresh tokens for internal applications. We will also need to authenticate AbandonAuth users on AbandonAuth in order to create and manage their developer applications. Due to this we will need to distinguish between short-lived tokens for token exchange during OAuth and long-lived tokens for persistent user sessions on AbandonAuth. I will be adding a new endpoint for logging into AbandonAuth. This will differ than the existing endpoints as this will use AbandonAuth's 3rd-party OAuth providers to authenticate users on AbandonAuth itself. This will also pave the way for an AbandonAuth UI and account management options. |
Summary
We need to securely create and authenticate accounts for internal services. It is not practical to use an external auth provider for these accounts. We should determine how we would like to implement this.
The most secure method would be to generate accounts that can authenticate via a secure refresh token. We can either manually create special service accounts (only to be used internally) or we can offer this account type as a service (a developer account, not to be regular-user-facing).
We would generate a secure, long-lived refresh token that can be negotiated for a short lived JWT access token, this JWT access token can then be negotiated with the invoking login service for whatever form of auth that services wishes to use.
Another option is to do the above process, but replace the refresh token with username/password authentication. Although this will likely not be as secure.
Proposed Acceptance Criteria
The text was updated successfully, but these errors were encountered: