...
Background
Currently content update is done by the user who created it which creates problem and is complex in scenarios where an admin want to update content by retired user. There should be an easy way to allow users to update content at the same time it should have authentication.
Solution Approach
approach 1 :
There should be a way to allow certain operations and for that we need to maintain master keys. These master keys would be created and stored through API by admin and would be used by anyone to bypass the current authentication mechanism which restricts some flow.
There should be APIs to create, get and verify the master key.
create API
it will be used to create a key with parameters channel, name and orgId.
Approach to generate Key
Problem Statement 1
What is the approach to generate the key?
Solution 1
Create JWT token with data passed upon. A JWT token will be created using secret key and below data
- channel
- name
- description
- organisationId
- createdBy
- createdOn
- name
- orgId
- expiresOn
Solution 2
Custom generated time based key
...
.
Solution 3
Using keycloak to generate an verify token to be used as masterkey.
Pros and Cons
...
| Key Generation Approach | Pros | Cons |
|---|---|---|
| JWT | no need to store the key in DB | |
| Custom | method is available so negligible time consuming | key needs to be stored in db |
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/create
Request body :
{
request : {
"channel" : "sunbird", // channel name for which master key is generated
"consumer" : "DikshaImplTeam", // consumer name who will use the key
"orgId" : "01262366359399628812" // optional orgId to make the key org specific, default value is rootOrgId of channel
}
}
Response body : (Success) 200
{
"id": "api.masterkey.create",
"ver": "v1",
"ts": "2019-01-29 09:17:31:909+0000",
"params": {
"resmsgid": null,
"msgid": "9db786d3-45c2-447d-b657-f9768da15652",
"err": null,
"status": "success",
"errmsg": null
},
"responseCode": "OK",
"result": {
"key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw"
}
}
Response body : (Error) 400
{
"id": "api.masterkey.create",
"ver": "v1",
"ts": "2018-01-29 11:12:31:853+0000",
"params": {
"resmsgid": null,
"msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf",
"err": "KEY_EXISTS",
"status": "KEY_EXISTS",
"errmsg": "Key exists for given channel sunbird and consumer DikshaImplTeam"
},
"responseCode": "CLIENT_ERROR",
"result": {
}
} |
Table Structure
...
| Keycloak | comparatively faster to implement | no support for channel or organisation based key key would expire based on keycloak configuration |
Problem Statement 2
What are the APIs required to manage master keys?
API Specifications
Create API
name and channel / organisationId is mandatory.
URL:
POST /v1/auth/masterkey/create
Headers:
- Authorization
- x-authenticated-user-token
Request Params:
| param name | type | description |
|---|---|---|
| channel | String | channel for which master key is applicable for, if not provided can be calculated from organisationId |
| name | String | consumer name |
| organisationId | String | organisationId for which master key is applicable for, if not provided can be calculated from channel |
Response Params:
| param name | type | description |
|---|---|---|
| key | String | generated master key, mapped with the requested channel/organisationId and name |
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | INVALID_ORG_ |
| DATA | Given Organization Data doesn't exist in our records. Please provide a valid one. | |
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter {channel/organisationId, name} is missing. |
| 400 | PARAMETER_MISMATCH | Mismatch of given parameters: channel, |
...
| organisationId. | ||
| 400 | KEY_EXISTS | Key exists for given channel {} and consumer {} |
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/get Request body : { request : { "channel" : "sunbird", "consumername" : "DikshaImplTeam", } } Response body : (Success) 200 { "id": "api.masterkey", "ver" "orgId" : "v101262366359399628812", } } "ts": "2019-01-29 09:17:31:909+0000", "params": Response { "resmsgidid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", ""api.auth.masterkey.create", "result": { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Error) 404 { "id": "api.masterkey", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "KEY_NOT_EXISTS", "status": "KEY_NOT_EXISTS", "errmsg": "Key does not exists for given channel sunbird" }, "responseCode": "RESOURCE_NOT_FOUND", "result": { } } |
verify API
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/verify
Request body : |
Verify API
URL:
POST /v1/auth/masterkey/verify
Headers:
- Authorization
Request Params:
| param name | type | description |
|---|---|---|
| key | String | master key to verify |
Response Params:
| param name | type | description |
|---|---|---|
| channel | String | channel name related to master key |
| name | String | consumer name |
| description | String | describes the purpose for master key |
| organisationId | String | organisation Id mapped with key |
| createdBy | String | userId of the person who created the key |
| createdOn | timestamp | timestamp when master key was created |
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | INVALID_KEY | Given master key is invalid |
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter key is missing. |
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
Request { request : { "key" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaGFubmVsIjoic3VuYmlyZCIsIm5hbWUiOiJEaWtzaGFJ bXBsVGVhbSIsImNyZWF0ZWRCeSI6MTUxNjIzOTAyMiwiY3JlYXRlZE9uIjoxNTE2MjM5MDIyLCJleHBpcmVzT24iOjE1MTYyNDkwMjIsIm9yZ0lkIjoiMjM0NTY1NDU2In0.Cs5-FW7OHip6njkQvMP6zpIVB5Q-xLLgz_jnYW3zPOw" } } Response body : (Success) 200 { "id": "api.auth.masterkey.verify", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": result": { "resmsgidchannel": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652""sunbird", "errname": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "channel"DikshaImplTeam", "description": "sunbird", organisation content" "consumerorganisationId": "DikshaImplTeam01262366359399628812", "createdBy": "00dd6646-be73-4fb0-b676-ccd01bda085e", "createdOn":15162390221548932815386, "expiresOn":1516249025, "orgId": "01262366359399628812" } } Response body : (Error) 400 { "id": "api.masterkey.create", "ver": "v1", "ts": "2018-01-29 11:12:31:853+0000", "params": { "resmsgid": null, "msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf", "err": "INVALID_KEY", "status": "INVALID_KEY", "errmsg": "Provided key for channel sunbird is invalid" }, "responseCode": "CLIENT_ERROR", "result": { } } |
approach 2:
In previous approach we are considering a master key which will be expired after certain duration. But it can be modified to include a refresh token which can be used to generate a new master key. Note that refresh token has it's own expiry, post that it requires to create a new master key and refresh token by create API call.
The benefit of this is that it helps in mitigate leaking of master key by making the expiry duration of short intervals.
| No Format | ||
|---|---|---|
| ||
POST /v1/masterkey/create
Request body : |
Delete API
URL:
POST /v1/auth/masterkey/delete
Headers:
- Authorization
- x-authenticated-user-token
Request Params:
| param name | type | description |
|---|---|---|
| channel | String | channel for which master key needs to be deleted |
| name | String | consumer name |
| organisationId | String | organisationId for which master key needs to be deleted |
Response Params:
None
Errors:
| status code | error code | error message |
|---|---|---|
| 400 | MANDATORY_PARAMETER_MISSING | Mandatory parameter {channel/organisationId, name} is missing. |
| 400 | KEY_NOT_EXISTS | Key does not exists for given channel {} and consumer {} |
Sample Request and Response:
| No Format | ||
|---|---|---|
| ||
Request { request : { "channel" : "sunbird" } } Response body : (Success) 200 { "id": "api.masterkey.create", "ver": "v1", "ts": "2019-01-29 09:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9768da15652", "err": null, "status": "success", "errmsg": null }, "responseCode": "OK", "result": { "key "name" : "1fb786d3-45c2-447d-b657-f9768da15348DikshaImplTeam", "expiresOnorgId": 120, "refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730" } } request to regenerate the key need refresh token { request : { "channel" : "sunbird", "refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730: "01262366359399628812" } } Response body (Success : 200) { "id": "api.masterkey.create", "ver": "v1", "ts": "2019-01-29 11:17:31:909+0000", "params": { "resmsgid": null, "msgid": "9db786d3-45c2-447d-b657-f9769da15652", "err": null, "status": "success", "errmsg": null }, "auth.masterkey.delete", "responseCode": "OK", "result": { "key" : "3gh686e3-45c2-447d-b657-b3364da84351", "expiresOn": 120, "refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730" } } |
There would be a TTL on the refresh token, so as the entry gets removed after refresh token expiry and then it would require to create a fresh entry.
get API response
| No Format | ||
|---|---|---|
| ||
{
"id": "api.masterkey.create",
"ver": "v1",
"ts": "2019-01-29 11:18:31:909+0000",
"params": {
"resmsgid": null,
"msgid": "9db786d3-45c2-447d-b657-f9769da15652",
"err": null,
"status": "success",
"errmsg": null
},
"responseCode": "OK",
"result": {
"key" : "3gh686e3-45c2-447d-b657-b3364da84351",
"expiresOn": 30,
"refreshToken": "3ab586d3-45c2-447d-b657-g9768da13730"
}
}
Response for expired key : (Error) 400
{
"id": "api.masterkey.create",
"ver": "v1",
"ts": "2018-01-29 11:21:31:853+0000",
"params": {
"resmsgid": null,
"msgid": "8e27cbf5-e299-43b0-bca7-8347f7e5abcf",
"err": "INVALID_KEY",
"status": "INVALID_KEY",
"errmsg": "Either the key doesn't exists or it has been expired"
},
"responseCode": "CLIENT_ERROR",
"result": {
}
}
|
...
Problem Statement 3
What is the DB design for storing information about master keys?
approach 1:
JWT token Table Structure
| column | type | description |
|---|---|---|
| channel* | text | consist user provide channel name |
| name* | text | provided by user |
| organisationId | text | provided by user or root org id mapped with channel |
| createdBy | text | user id who created the master key |
| createdOn | timestamp | created time |
approach 2:
custom generated key
| column | type | description | |
|---|---|---|---|
| channel* | text | primary key as consist user provide channel name | |
| name* | text | provided by user | |
| organisationId | text | provided by user or root org id mapped with channel | |
| key | text | masterholds custom generated key | generated|
| refresh_tokencreatedBy | text | refresh token generated | key_expiryuser id who created the master key |
| createdOn | timestamp | time when current master key will be expired | |
| createdby | text | user id of the user who created the entry | |
| createdon | timestamp | time when entry was createdcreated time |
Problem Statement 4
How to use generated master key to bypass existing user authentication?
approach 1:
- master key will be passed in X-authenticated-user-token
- use an extra header (X-authentication-type) declaring the type of authentication as master( for master key and user for user authentication).
approach 2:
- extra header (X-authentication-master-key) to pass master key.
- If above header is present it supersedes the user authentication
Pros and Cons
| Key Usage Approach | Pros | Cons |
|---|---|---|
| X-authentication-type | In future it can support additional authentication types |