2022-02-08 10:25:51 +00:00
|
|
|
:PROPERTIES:
|
|
|
|
:ID: 2c317dbe-4fca-444b-b0bc-f9174522e106
|
|
|
|
:END:
|
|
|
|
#+TITLE: New IROH-Auth APIs
|
|
|
|
#+Author: Yann Esposito
|
|
|
|
#+Date: [2022-02-08]
|
|
|
|
- tags :: [[id:1208f09c-d37d-4e6b-9110-151f3c6b7d34][Cisco FT SecureX Simplified Registration]] [[id:91f33b35-6e4e-4213-b214-972ee20722df][Cisco]]
|
|
|
|
- source :: https://github.com/advthreat/iroh/issues/6076
|
|
|
|
|
2022-02-08 10:28:58 +00:00
|
|
|
* Implement a new IROH-Auth API
|
2022-02-08 10:30:42 +00:00
|
|
|
|
|
|
|
With https://github.com/advthreat/iroh/pull/6247 you can now put a specific
|
|
|
|
JWT middleware configuration for a Web API.
|
|
|
|
|
2022-02-08 10:31:47 +00:00
|
|
|
So here we just need to provide a new specific function to check JWT to
|
2022-02-08 10:45:49 +00:00
|
|
|
accept the new UserIdentity-level JWTs.
|
|
|
|
So have a function inspired by ~iroh-web.core/check-jwt-fields~, see:
|
|
|
|
https://github.com/advthreat/iroh/blob/master/lib/iroh-web/src/iroh_web/core.clj#L138
|
2022-02-08 10:39:31 +00:00
|
|
|
|
|
|
|
The main differences should be:
|
|
|
|
|
|
|
|
Filter on the correct ~oauth/kind~
|
|
|
|
Have a ~.../user-identity/...~ instead of ~.../user/...~
|
|
|
|
Etc…
|
|
|
|
|
2022-02-08 10:40:48 +00:00
|
|
|
Then create new proto-Web API using this new configuration for the JWT.
|
2022-02-08 12:56:45 +00:00
|
|
|
|
|
|
|
#+begin_src clojure
|
|
|
|
(web/defwebservice-with-params iroh-auth-spa-api []
|
|
|
|
{,,,
|
|
|
|
:options {:jwt-middleware-option-patch
|
|
|
|
{:jwt-check-fn user-identity-jwt-check-fn}}}
|
|
|
|
#+end_src
|
|
|
|
|
2022-02-08 10:44:01 +00:00
|
|
|
The first endpoint should be ~GET /iroh/iroh-auth-apis/whoami~
|
|
|
|
whose only goal would be to display a user-friendly JSON of the ~identity~
|
|
|
|
field of the ring request.
|
2022-02-08 10:40:48 +00:00
|
|
|
|
2022-02-08 10:44:01 +00:00
|
|
|
#+begin_src clojure
|
|
|
|
(GET "/whoami" req
|
|
|
|
,,,
|
|
|
|
(ok (:identity req)))
|
|
|
|
#+end_src
|
|
|
|
|
2022-02-08 10:45:49 +00:00
|
|
|
From there we will have successfully built an IROH-Auth level session.
|