Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for on-behalf-of token authorization #4411

Closed
wants to merge 8 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions _security/authentication-backends/obo-token.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
layout: default
title: On-behalf-of tokens
parent: Authentication backends
nav_order: 75
---


# On-behalf-of tokens

On-behalf-of (OBO) tokens enable services to run on OpenSearch by allowing a user's security privileges to authorize access on behalf of the service. These tokens can be used for any generic service that you want to run on OpenSearch. However, their initial application with OpenSearch involves supporting the use of extensions.


## Description

The OBO token is a JSON Web Token (JWT) used for managing authentication requests between a user's client and an extension or other service. For the initial extensions design, these tokens allow the extension to interact with the OpenSearch cluster using the same privileges as the initiating user; hence the name, “on-behalf-of”. Because these tokens don’t have any real restrictions, they can be used to permit access to any generic service for a set window of time.

The OBO token provides just-in-time access for extension services and other resources. This means that the token is issued immediately before it is needed rather than at the beginning of a session with the expectation that access persists over the course of the session. This approach is often considered a more secure method of authentication due to the fixed and relatively short length of time it remains valid and the focused access it applies to a select service.

Given that the OBO token is a JWT, it includes an expiration claim that determines how long the token remains valid. You can therefore configure the token so that it provides access to a service for a short, predetermined length of time.


### Token payload

The payload for an OBO token includes the following claims. To read more about JWT claims, see [JSON Web Token Claims](https://www.iana.org/assignments/jwt/jwt.xhtml#claims).

| Claim | Claim description |
| :--- | :--- |
| `iss` | Issuer. The OpenSearch cluster identifier. |
| `iat` | Issued at. Time at which the token was issued. |
| `exp` | Expiration time. |
| `sub` | Subject. User ID |
| `aud` | Audience. The extension's, or the service's, unique identifier. |
| `roles` | Roles. Security privilege evaluation. <!--- not sure what this means ---> |



## Configuring the token

As with all backends, the OBO token is configured in the `authc` section of the `config.yml` file. Set up an authentication domain and choose `on_behalf_of` as the `http_authenticator`. Because the tokens already contain all required information to verify the request, set `challenge` to `false` and `authentication_backend` to `noop`:

```yml
on_behalf_of:
signing_key: xxxxxxxxxx
encryption_key: xxxxxxxx
```
<!--- Aside from http authenticator type, signing_key, and encryption_key, are any of these other settings important to OBO configuration? Do any of the JWT configuration settings apply to OBO also?
```yml
on_behalf_of_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: on_behalf_of
challenge: false
config:
signing_key: "base64 encoded key"
encryption_key: xxxxxxxx
jwt_header: "Authorization"
jwt_url_parameter: null
subject_key: null
roles_key: null
jwt_clock_skew_tolerance_seconds: 20
authentication_backend:
type: noop
```
--->

The following table lists the most important configuration parameters.

Name | Description
:--- | :---
`signing_key` | The signing key to use when verifying the token. If you use a symmetric key algorithm, it is the base64-encoded shared secret. If you use an asymmetric algorithm, it contains the public key.
`encryption_key` | <!--- need more on this --->


## Enabling backend roles

To make backend roles backward compatible for plugins, the following configuration is necessary in the `extensions/extensions.yml` file:

```yml
BWC Mode OFF (default):
Encrypted roles (er)
BWC Mode ON:
Decrypted roles in plain-text (dr)
Decrypted backend roles in plain-text (dbr)
```
<!--- not sure what this configuration is all about. Is this the new setting: jwtTokenIncludesBackendRoles? basing this on comments in https://github.com/opensearch-project/security/pull/3180 --->