diff options
author | Bryan Newbold <bnewbold@robocracy.org> | 2019-01-07 17:49:02 -0800 |
---|---|---|
committer | Bryan Newbold <bnewbold@robocracy.org> | 2019-01-07 17:49:02 -0800 |
commit | 01facf0167b4d1033c6af20ba98874757dbc46e5 (patch) | |
tree | 1f2af7e93374acd2c1fd272fcf836bf38e866a27 | |
parent | 5e138c0cf74c68cbf0892437d9081f4132236ef4 (diff) | |
download | fatcat-01facf0167b4d1033c6af20ba98874757dbc46e5.tar.gz fatcat-01facf0167b4d1033c6af20ba98874757dbc46e5.zip |
basic IA XAuth notes
-rw-r--r-- | notes/auth.md | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/notes/auth.md b/notes/auth.md index b73ce343..ea249cf7 100644 --- a/notes/auth.md +++ b/notes/auth.md @@ -148,6 +148,20 @@ The `auth_oidc` enforces uniqueness on accounts in a few ways: accounts using the same remote account - all fields are NOT NULL +### archive.org "XAuth" Login + +The internet archive has it's own bespoke internal API for authentication +between services. Internal (non-public) documentation link: + + https://git.archive.org/ia/petabox/blob/master/www/sf/services/xauthn/README.md + +Fatcat implements "passthrough" authentication to this endpoint by accepting +email/password (in plaintext! red lights and sirens!) and passes them through, +along with with special staff-level authentication keys, to authenticate and +fetch user info. Fatcat then pretends this was a regular OAuth/OIDC +interaction, substituting the archive.org user "itemname" as a persistent +identifier, and the XAuth endpoint as the service key. + ## Role-Based Authentication (RBAC) Current acknowledge roles: @@ -177,11 +191,8 @@ Tokens and other secrets can be store in environment variables, scripts, or Want to support more OAuth/OIDC endpoints: -- archive.org: bespoke "XAuth" thing; would be reasonable to hack in support. - use user itemname as persistent 'sub' field - orcid.org: supports OIDC - wikipedia/wikimedia: OAuth; https://github.com/valhallasw/flask-mwoauth -- additional Additional macaroon caveats: |