• Type: Story
• Resolution: Fixed
• Priority: Blocker
• Component/s: blueocean-plugin
• Labels:

  • api
  • blueocean-imported

[JENKINS-35783] REST API must only be authenticated using JWT

James Dumay created issue - 2016-05-04 18:34

James Dumay made changes - 2016-05-04 18:34

Epic Link

New: UX-165 [ 25873 ]

James Dumay made changes - 2016-05-04 18:35

Summary

Original: REST API should only be authenticated using JWT

New: REST API must only be authenticated using JWT

Collapse comment: Ben Walding added a comment - 2016-05-04 20:51

Ben Walding added a comment - 2016-05-04 20:51

My base position would be to leave Basic Auth disabled until you have a concrete use case.

I don't think general convenience is a valid use-case - as it re-opens the door on CSRF attacks.

(you might be able to get around this by doing Bearer Authentication headers rather than Basic Auth headers - but understand the use-case first)

Expand comment: Ben Walding added a comment - 2016-05-04 20:51

Ben Walding added a comment - 2016-05-04 20:51 My base position would be to leave Basic Auth disabled until you have a concrete use case. I don't think general convenience is a valid use-case - as it re-opens the door on CSRF attacks. (you might be able to get around this by doing Bearer Authentication headers rather than Basic Auth headers - but understand the use-case first)

James Dumay made changes - 2016-05-04 21:45

Description

Original: In Scope * Change authentication so that it works via JWT only * Remove authentication via cookie * Consider allowing basic auth if no JWT is available ([~vpandey] is that a good thing todo as a fallback? What is the best practice?) * Ensure that the frontend continues to work when JWT is enabled (You may need to open another ticket to get help from the frontend team)

New: In Scope * Change authentication so that it works via JWT only * Remove authentication via cookie * Ensure that the frontend continues to work when JWT is enabled (You may need to open another ticket to get help from the frontend team)

Collapse comment: James Dumay added a comment - 2016-05-04 21:46

James Dumay added a comment - 2016-05-04 21:46

bwalding removed HTTP auth for now.

Expand comment: James Dumay added a comment - 2016-05-04 21:46

James Dumay added a comment - 2016-05-04 21:46 bwalding removed HTTP auth for now.

Collapse comment: Ivan Meredith added a comment - 2016-05-04 21:55

Ivan Meredith added a comment - 2016-05-04 21:55

bwalding why does basic auth open csrf on an application/json poat?

Expand comment: Ivan Meredith added a comment - 2016-05-04 21:55

Ivan Meredith added a comment - 2016-05-04 21:55 bwalding why does basic auth open csrf on an application/json poat?

Collapse comment: James Dumay added a comment - 2016-05-04 22:02, Edited by James Dumay - 2016-05-04 22:02

James Dumay added a comment - 2016-05-04 22:02 - edited

Only thing I can think of is the URL scheme but you'd need a password for that e.g. http://demo:securepassword@blueocean.io/blue/rest/

Expand comment: James Dumay added a comment - 2016-05-04 22:02, Edited by James Dumay - 2016-05-04 22:02

James Dumay added a comment - 2016-05-04 22:02 - edited Only thing I can think of is the URL scheme but you'd need a password for that e.g. http://demo:securepassword@blueocean.io/blue/rest/

Collapse comment: Ivan Meredith added a comment - 2016-05-04 22:22, Edited by Ivan Meredith - 2016-05-04 22:23

Ivan Meredith added a comment - 2016-05-04 22:22 - edited

well, the browser automatically sends the header in csrf. Which isnt true for JWT or Bearer. But we specifically require application/json header on the rest api to protect agaist csrf,

Not that I am against JWT exactly, its just not as curl friendly i think? if it is curl friendly ignore me.

Expand comment: Ivan Meredith added a comment - 2016-05-04 22:22, Edited by Ivan Meredith - 2016-05-04 22:23

Ivan Meredith added a comment - 2016-05-04 22:22 - edited well, the browser automatically sends the header in csrf. Which isnt true for JWT or Bearer. But we specifically require application/json header on the rest api to protect agaist csrf, Not that I am against JWT exactly, its just not as curl friendly i think? if it is curl friendly ignore me.

Collapse comment: Ben Walding added a comment - 2016-05-04 22:38

Ben Walding added a comment - 2016-05-04 22:38

Because hackers.com can make a Javascript call and the Basic Auth credentials will be sent to mycorporatesite.com if the user has entered them recently.

$.ajax({
    type: "POST",
    url: "https://mycorporatesite.com/blue/delete-all-my-stuff",
    data: "",
    xhrFields: {
                withCredentials: true
            },
    success: function(s) { console.log('success', s); },
    dataType: 'application/json'
  });

Expand comment: Ben Walding added a comment - 2016-05-04 22:38

Ben Walding added a comment - 2016-05-04 22:38 Because hackers.com can make a Javascript call and the Basic Auth credentials will be sent to mycorporatesite.com if the user has entered them recently. $.ajax({ type: "POST", url: "https://mycorporatesite.com/blue/delete-all-my-stuff", data: "", xhrFields: { withCredentials: true }, success: function(s) { console.log('success', s); }, dataType: 'application/json' });

Load more newer events