View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0011219||mantisbt||authentication||public||2009-11-26 17:19||2010-09-21 03:38|
|Priority||normal||Severity||feature||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Summary||0011219: Provide OAuth inter-application authentication "tokens" mechanism|
OAuth is a protocol which describes (AFAICT) a way for an application to act on another application with specific privileges as granted by a user.
Supporting OAuth in Mantis may allow third party "clients" to connect to Mantis in order to retrieve/create/modify bugs in the name of a Mantis user, and depending on privileges that this user may have granted for this particular application.
More details at http://oauth.net/
|Tags||No tags attached.|
This may be also linked to 0004235
A decent introduction to what is possible with OAuth: http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/
This is no easy undertaking. I imagine we'd first have to implement proper access control into MantisBT like RBAC (role based access control). We'd also need to provide administrators the ability to limit the ability for users to create new accounts and what permissions those accounts can have. OAuth would then sit on top of that core MantisBT functionality providing the interface with external systems?
We do intend to implement an OAuth "plugin" for Mantis (as part of the OSLC-CM REST API implementation support) that would allow to use OAuth for connecting to Mantis on behalf of a Mantis user.
It will be used for REST calls first, but may become generic enough to be used for other connections to Mantis, then.
It will make use of SimpleSAMLphp code most probably, for the protocol implementation.
It will add a few elements to the DB to manage Consumer identification, token requests, autjorizations, etc. and the related UI screens for admins and users to manage these.
If there was an access control infrastructure for Mantis, it may be coupled, but since then, it will just validate that a Consumer is acting on behalf of a user, and then just replace the auth and id phase.
I have implemented the first bits of a Mantis plugin that supports some OAuth endpoints using the PHP OAuth library (and not(yet) SimpleSAMLPhp as previously mentioned).
It is not yet complete, but interested people may have a look at the SVN repo at : http://heliosplatform.svn.sourceforge.net/viewvc/heliosplatform/mantis-oslccm/trunk/mantisbt-oauth-plugin/OauthAuthz/
Tests and feedback much welcome.
Firstly, this is a fantastic idea and you've obviously dedicated a lot of time and effort to implementing OAuth into MantisBT.
When I get some more free time I'd be interested in helping to improve this plugin via testing, writing code, reading specs, etc.
I've had a quick browse through the code and the following are a few comments I have so far:
1) MantisBtDbOAuthDataStore::new_token is insecure because it uses an easily predictable PRNG. It'd be better to use the new crypto_api functions in MantisBT 1.3.x for generating nonces. Ref 0010730. If Zend OAuth can create nonces for you then it is probably preferable to use the library implementation... unless it too is insecure :)
2) I think we need to implement a better way of throwing exceptions that allows us to show translated error messages to the user. I'm not sure if this should be in the form of "throw new SomethingException( lang_get( 'ERROR_SOMETHING' ) )" or a more elaborate alternative.
3) Try to avoid SELECT * in queries. It's usually recommended that queries specifically select the required columns from a table. The reason is that if you add a column to one of the tables in the future, you don't want to return this new information if it won't get used.
Great start so far! :)
@dhx: You'll be very much welcome to help ;) Thanks for the review. I'll try and add a few responses :
1) good point. In any case, there are also issues with DOS in terms of security if depending from some RNG methods too... so I'd better not reinvent the wheel here, and use Mantis standard mechanism. +1 for the TODO
2) the errors/exceptions mechanism was not really though of, so yes, that may be improved in a great way. +1 too
3) Again, here, it was a bit quick and dirty, and there may be better ways to do it. +1 too
Regarding the code in general, I'd like to reorganize it so that there's some more objects and a separate DB store, so that there can be some reuse for other PHP apps. I'm particularly thinking about FusionForge, so, having proper MVC/layers separation would allow the reuse of the same classes for both, wile the UI of the plugins would be implemented in different ways, and the backends using each PDO.
Thanks again for your comments and support :-)
I've reworked the DB access code to put it into a single file, in order to be able to reuse much of the code for other PHP web apps that would have a different DB access system/PDO.
The errors should be a little bit better handled and there much more comments/auto-docs
Note that we're succesfully using it now for our OSLC-CM V1 REST server (0011063).
Still it misses control over specific permissions associated to the access tokens to allow controling which operations a Consumer is authorized to do on behalf of a user and which not.
At the moment, we use auth_attempt_script_login() in order to start a user's session, and that seems quite operational.
Any plans in integration OAuth into Mantis core ?
I'm not sure to whom the question is adked, but in any case, I'm sorry to say that it's unlikely I'll have some free time to work on this in the coming month, so I'd be happy to hand it over to anyone interested to continue th work. Everything is committed in our repo... just follow the links above.
In case of doubt, this plugin provides an OAuth provider auth mecanism.
The code is now available in Git at : http://git.mantisforge.org/w/mantisbt/helios.git?a=tree;f=plugins/OauthAuthz;hb=OauthAuthz
|2009-11-26 17:19||oberger||New Issue|
|2010-01-24 01:56||vboctor||Relationship added||related to 0011063|
|2010-01-24 12:36||oberger||Note Added: 0024231|
|2010-01-25 23:01||vboctor||Status||new => acknowledged|
|2010-02-07 07:40||dhx||Relationship added||related to 0004235|
|2010-02-07 08:05||dhx||Note Added: 0024338|
|2010-02-17 02:35||oberger||Note Added: 0024401|
|2010-05-06 12:49||oberger||Note Added: 0025431|
|2010-05-10 05:06||oberger||Note Added: 0025445|
|2010-05-10 12:05||dhx||Note Added: 0025449|
|2010-05-12 03:47||oberger||Note Added: 0025482|
|2010-05-14 05:38||oberger||Note Added: 0025499|
|2010-05-29 10:22||oberger||Note Added: 0025624|
|2010-08-29 08:47||bretrzaun||Note Added: 0026498|
|2010-08-30 01:47||oberger||Note Added: 0026510|
|2010-09-20 10:17||oberger||Note Added: 0026805|
|2010-09-21 03:38||oberger||Note Added: 0026825|