From 01facf0167b4d1033c6af20ba98874757dbc46e5 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Mon, 7 Jan 2019 17:49:02 -0800 Subject: basic IA XAuth notes --- notes/auth.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/notes/auth.md b/notes/auth.md index b73ce343..ea249cf7 100644 --- a/notes/auth.md +++ b/notes/auth.md @@ -148,6 +148,20 @@ The `auth_oidc` enforces uniqueness on accounts in a few ways: accounts using the same remote account - all fields are NOT NULL +### archive.org "XAuth" Login + +The internet archive has it's own bespoke internal API for authentication +between services. Internal (non-public) documentation link: + + https://git.archive.org/ia/petabox/blob/master/www/sf/services/xauthn/README.md + +Fatcat implements "passthrough" authentication to this endpoint by accepting +email/password (in plaintext! red lights and sirens!) and passes them through, +along with with special staff-level authentication keys, to authenticate and +fetch user info. Fatcat then pretends this was a regular OAuth/OIDC +interaction, substituting the archive.org user "itemname" as a persistent +identifier, and the XAuth endpoint as the service key. + ## Role-Based Authentication (RBAC) Current acknowledge roles: @@ -177,11 +191,8 @@ Tokens and other secrets can be store in environment variables, scripts, or Want to support more OAuth/OIDC endpoints: -- archive.org: bespoke "XAuth" thing; would be reasonable to hack in support. - use user itemname as persistent 'sub' field - orcid.org: supports OIDC - wikipedia/wikimedia: OAuth; https://github.com/valhallasw/flask-mwoauth -- additional Additional macaroon caveats: -- cgit v1.2.3