Suppose AllinOnePhoto (D) is a site that let users to store all their photos, built on D8. It has user 0, 1, 2, 3, 4, ..., where 0 is anonymous user and 1 is admin (a user with enough access); other users are authenticated users. P is a third party site that offering printing service.

Hawk Auth and Oz Auth together should offer authentication solutions to the user stories below:

  1. D or User 1 developed a mobile app for authenticated users to sync photos to D. There are Android version and iOS version. Each version uses one key that D issues.
  2. User 2, 3, 4, .... have mobile phones; they use the app that D has developed, but they only know their usernames and passwords.
  3. P offers printing service, but it ask their user to grant the access that they have on D. Once P has the permission, P can only access one particular user's photos.

Comments

skyredwang’s picture

skyredwang
Location Shanghai
CreditAttribution: skyredwang at INsReady commented
Issue summary: View changes
Dragooon’s picture

Dragooon CreditAttribution: Dragooon commented
Version: » 8.x-1.x-dev

For (2) Basic Auth + Hawk can be used, Hawk can be used to authenticate the App and Basic Auth to authenticate the users. Did some rudimentary testing:

1) Passed Hawk's authorisation header for User 1, let's say this is the app's owner. Drupal authenticated the header as user 1.
2) Passed Basic Auth's authorisation header for User 2 to the same server, Drupal authenticated it as user 2. Both basic auth and hawk use HTTP Authorization header with Hawk's starting with Hawk and Basic auth starting with Basic, both cannot be present at the same time so we do not have to cater to that scenario.

In the above 2 requests, Hawk and Basic Auth modules were present simultaneously and no change was made to the server's settings or configuration during testing, Drupal was able to switch between the different authentication mechanism without issues.

skyredwang’s picture

skyredwang
Location Shanghai
CreditAttribution: skyredwang at INsReady commented

We need more test cases, and we need more documentation, so these tests can be reproduced

1. If Hawk fails, can Basic still work? In user story 2, Hawk is used for device authentication, Basic is used for user authentication. If the device fails

2. If Hawk works, but Basic fails, can Hawk still acquire the user owned content?

Dragooon’s picture

Dragooon CreditAttribution: Dragooon commented

1. Hawk and Basic Auth both rely on sending HTTP Authorisation header, except Hawk's has to start with the string "Hawk" and Basic Auth with "Basic", so we can't send a single request with both the authentication protocol's headers. However they can repeat the request with different header and that should work, they're independent of each other.

2. Hawk simplify identifies the app as a Drupal user, if that user has permission over user's content they can read it. That would be more of a challenge for the app developer.

Dragooon’s picture

Dragooon CreditAttribution: Dragooon commented

Okay so here are the tests I did (I reran them for making this post, I discovered a bug in the previous tests I did)

Route's definition:

hawk_route_test.user:
  path: '/hawk_route_test/user'
  options:
    _auth: [ 'hawk_auth', 'basic_auth' ]
  defaults:
    _controller: '<controller>'

It is simply meant to show a JSON string and output the current logged in username.

Request 1 (Basic Auth for User A):

Authorization: Basic cVpYbHN6bU06YW9RcXlzTW5vSw==

Correctly identifies user A.

Request 2 (Hawk for User B):

Authorization: Hawk id="1", ts="1439728774", nonce="4BYVizdcEco06AKe6BOTuCuCVlR09Au4", mac="aE66Rrw8es7PE88YjPh5XiuzicL8sFkCqTzTCShF9QY="

Correctly identifies user B.

Request 3 (BA for User A and HA for User B):

Authorization: Basic cVpYbHN6bU06YW9RcXlzTW5vSw==
Authorization: Hawk id="1", ts="1439728774", nonce="4BYVizdcEco06AKe6BOTuCuCVlR09Au4", mac="aE66Rrw8es7PE88YjPh5XiuzicL8sFkCqTzTCShF9QY="

The first (basic) belongs with a user "A" and second (hawk) to user "B", both credentials are correct on their own. However, when receiving Apache merges them into one:

Basic YVFPSkVpRHQ6bTM4R3pWTHFqaA==, Hawk id="1", ts="1439733945", nonce="QpSdjzW2atfiZARJeAG9QfsRiyoa3sOp", mac="a1C5SpWnR8bJf17b1KPkZfju+hbS8ux9ELez0eV80ro="

Which makes both of them invalid. If I have hawk first, this is the header Drupal receives:

Hawk id="1", ts="1439736056", nonce="GaZZb5RFSforwypvC9TX9AFW91W9HHue", mac="ro/fJy+4TWAzy6vae1s/P87NuXnLVGElDVVFL5TNSvY=", Basic ZUxteXZDZDQ6NWRzMkc3TEt0Mg==

Which also fails since Hawk doesn't recognise any parameter named Basic.

From what I can tell, the headers are merged on apache/.htaccess level. So this behaviour might be controllable, however I couldn't figure out how to tell apache to merge them differently or only pass the first or second header. We can modify this behaviour to allow multiple headers however that would go against HTTP spec.

skyredwang’s picture

skyredwang
Location Shanghai
CreditAttribution: skyredwang at INsReady commented

GSoC 2015 is finished. This issue served as some thinking process and documentation. I am closing this now. In the future, we shall open new issues to tackle specific problems.

skyredwang’s picture

skyredwang
Location Shanghai
CreditAttribution: skyredwang at INsReady commented
Status: Active » Closed (fixed)
skyredwang’s picture

skyredwang
Location Shanghai
CreditAttribution: skyredwang at INsReady commented
Status: Closed (fixed) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.