Authentication support in BuildGrid
Context
Currently, all access to BuildGrid is unauthenticated, meaning there is no way to allow/deny connections or have any information about the user sending the request. This information is useful for monitoring, quota management, and general permissioning.
Proposal
Have OAUTH2 be the supported authentication model, and do it in two steps. This removes a lot of complexity from BuildGrid/potential clients First, have a dedicated authentication tool that will handle the initial authentication, called bgd auth in this example, and a helper auth endpoint.
This helper auth endpoint could be part of BuildGrid itself, but it probably makes sense to have it external.
Second, when the client has a valid access token, it passes it to BuildGrid where it gets verified. This example uses a JWT as the access token.
The last piece of the story is when a client tries to connect with an expired access token, and wants to refresh it using a refresh token.
This auth helper could once again be part of BuildGrid, or something external.
Task Description
-
Create a dedicated auth tool to handle the initial negotiation -
Create a lightweight external endpoint to get/display access and refresh token to user -
Add to external endpoint to allow refreshing access token -
Create a callback for handling server side verification of OAUTH2.0 credentials -
Add support for token validation on BuildGrid server side: #144 (closed) -
Add config file support to configure the authentication: #147 (closed)
Acceptance Criteria
-
Have a supported method for authenticated access to BuildGrid -
After the authentication, BuildGrid has access to some information about the requester -
Have a clear way of adding new authentication methods -
Be able to change authentication methods with changes in the configuration file
Open Questions
- This have been mainly dealing with the authentication side, but not with what to do with the info about the requester. Should it be a standard format? Should it be a direct mapping of the payload key-value pairs?
- What other authentication methods make sense to consider when designing the interface?
- Since most of the authentication stuff is done in an external helper, with the only change in BuildGrid being verifying the actual JWT and getting info from it, should we aim for having something like an authentication proxy instead? BuildGrid would then just expect to get user info from attached metadata on the request. Not sure if that's a better approach, just a thought.