Talk:Requests for comment/Service-oriented architecture authentication

Similarity to AuthStack
How different is this from AuthStack? This RfC seems like just a generalized version of the latter. Can they just be merged? Parent5446 (talk) 18:14, 9 June 2014 (UTC)


 * This RFC focuses on authentication in a SOA world, and formulates some architectural goals. One of those goals is a separation of concerns and isolation. Most code should not have access to sensitive user information, so that security issues in random features don't lead to an exposure of sensitive information. Another goal is to push authentication to the lowest layers (storage service) wherever possible to avoid the risk of a confused deputy & address the issues of different services collaborating to provide specific functionality.


 * The solution presented in the AuthStack RFC does not seem to address several of these goals. This leads me to believe that the goals of the two RFCs are actually different. -- Gabriel Wicke (GWicke) (talk) 18:32, 9 June 2014 (UTC)


 * I think "Authentication" is a bad name for this RFC, but can't think of a better one. Maybe "Inter-service user identification, authorization, and session management"?
 * While AuthStack deals (primarily) with Authentication in MediaWiki, this RFC is about MediaWiki acting as an Identity Provider for other services, and how to efficiently make those assertions. If we make a MediaWiki Authentication Service, then it would need to account for all of the stuff discussed in AuthStack, as well as how MediaWiki core would consume those. I don't think that discussion should happen until we have the inter-service session management pieces working in production. CSteipp (talk) 22:39, 12 June 2014 (UTC)

Tokens
gwicke and I had talked about using JWT's for identification. I did a quick test to see the size, and encoding basic information about the user, issuer, validity timestamps, and the list of user rights that user has generates a JWT that's about 4k. The RS256 signature was about 600 bytes larger than HS256, using a 4096 bit rsa key. CSteipp (talk) 22:40, 12 June 2014 (UTC)


 * I'd expect the size to be mostly determined by the key size. Do we need 4096 bits, especially with key rotation? We might also be able to gzip + base64 encode the value for the benefit of plain HTTP users, although this should not do much for the signature. -- Gabriel Wicke (GWicke) (talk) 22:41, 12 June 2014 (UTC)


 * 2048 would probably be ok if we actually do key rotation. Key management is hard, but if someone is willing to stay on top of it, we can assume that. So that takes the signature down to about 300 bytes. Also, we would want to use RS512 to get equivalent security to HS256, so using my test user gives:
 * Uncompressed: RS512 JWT = 4054 B, HS256 JWT = 3755 B
 * Compressed: RS512 JWT = 2482 B, HS256 JWT = 2183 B
 * So ~2.5k overhead on every request. CSteipp (talk) 23:35, 12 June 2014 (UTC)


 * My understanding is that RS256 is recommended (SHA-2, signed with 2048 bit RSA key ). Why do you feel that RS512 is necessary for 2048 bit RSA?
 * My understanding is also that HS256 is just a SHA-2 over the message & a shared secret: "The HMAC SHA-256 MAC is generated per RFC 2104, using SHA-256 as the hash algorithm "H", using the octets of the ASCII [USASCII] representation of the JWS Signing Input as the "text" value, and using the shared key."
 * Based on the size, I'm guessing that HS256 in your data is RS256?
 * So assuming we go with the recommended RS256, it looks like we'd end up with 2183bytes. This compares with 441bytes worth of cookies in production, although some of those will still be needed.
 * Without SPDY / HTTP2 this would not be impossible, but also not ideal. By the current stats at http://caniuse.com/spdy this would affect about 30% of all HTTPS traffic, and all of HTTP traffic. SPDY support will further improve soon with Apple just announcing support and IE gaining it fairly recently.
 * We might still want to wait with using full tokens until SPDY support is more common, and we actually support it as well. Until then we can start using this for API requests. We could also consider storing the tokens in memcached based on the session id, and retrieving those for API requests with a session cookie only. -- Gabriel Wicke (GWicke) (talk) 04:20, 13 June 2014 (UTC)


 * Since the secret key mixed into the hash is unknown, the attacker has to essentially brute force the key that we use-- which happens to be 256 bits when we use HS256 for OAuth right now. To spoof a signature, they "just" need to find a collision in the hash. Sha256 is takes a lot of work to find collisions (I think it's still over well over 128 bits of work, which is virtually impossible), but it's less than 256 bits, so a larger hash ensures that the hash is not weakest part of the signature. The 2048 bit key is approximately equivalent to 112 bits of brute forcing, so that becomes the weaker link. Again, not that any of those attacks are feasible right now, but in 5 years, it's anyone's guess. And no, I did mean HS256 in my test, not RS256.


 * Hmm, but isn't 2048 bit RSA then the weakest link even with SHA-2?
 * I'm surprised that the overall size is that large even with just a SHA-2 signature. It sounds like the JSON itself is fairly large. Could you paste the JSON somewhere? I could try to see if I can represent the user data a bit more compactly. -- Gabriel Wicke (GWicke) (talk) 05:24, 13 June 2014 (UTC)