prosody-modules
2bb29ece216b
mod_auth_token/README.markdown
Software / code / prosody-modules
File
mod_auth_token/README.markdown @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parent | 3471:b4bcb84997e7 |
line wrap: on
line source
# mod_auth_token This module enables Prosody to authenticate time-based one-time-pin (TOTP) HMAC tokens. This is an alternative to "external authentication" which avoids the need to make a blocking HTTP call to the external authentication service (usually a web application backend). Instead, the application generates the HMAC token, which is then sent to Prosody via the XMPP client and Prosody verifies the authenticity of this token. If the token is verified, then the user is authenticated. ## Luarocks dependencies You'll need to install the following luarocks otp 0.1-5 luatz 0.3-1 ## How to generate the TOTP seed and shared signing secret You'll need a shared OTP_SEED value for generating time-based one-time-pin (TOTP) values and a shared private key for signing the HMAC token. You can generate the OTP_SEED value with Python, like so: >>> import pyotp >>> pyotp.random_base32() u'XVGR73KMZH2M4XMY' and the shared secret key as follows: >>> import pyotp >>> pyotp.random_base32(length=32) u'JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7' ## Configuration Firest you need to enable the relevant modules to your Prosody.cfg file. Look for the line `modules_enabled` (either globally or for your particular `VirtualHost`), and then add the following to tokens: modules_enabled = { -- Token authentication "auth_token"; "sasl_token"; } The previously generated token values also need to go into your Prosody.cfg file: authentication = "token"; token_secret = "JYXEX4IQOEYFYQ2S3MC5P4ZT4SDHYEA7"; otp_seed = "XVGR73KMZH2M4XMY"; The application that generates the tokens also needs access to these values. For an example on how to generate a token, take a look at the `generate_token` function in the `test_token_auth.lua` file inside this directory. ## Custom SASL auth This module depends on a custom SASL auth mechanism called X-TOKEN and which is provided by the file `mod_sasl_token.lua`. Prosody doesn't automatically pick up this file, so you'll need to update your configuration file's `plugin_paths` to link to this subdirectory (for example to `/usr/lib/prosody-modules/mod_auth_token/`). ## Generating the token Here's a Python snippet showing how you can generate the token that Prosody will then verify: import base64 import pyotp import random # Constants OTP_INTERVAL = 30 OTP_DIGITS = 8 jid = '{}@{}'.format(username, domain) otp_service = pyotp.TOTP( OTP_SEED, # OTP_SEED must be set to the value generated previously (see above) digits=OTP_DIGITS, interval=OTP_INTERVAL ) otp = otp_service.generate_otp(otp_service.timecode(datetime.utcnow())) nonce = ''.join([str(random.randint(0, 9)) for i in range(32)]) string_to_sign = otp + nonce + jid signature = hmac.new(token_secret, string_to_sign, hashlib.sha256).digest() token = u"{} {}".format(otp+nonce, base64.b64encode(signature))
