-
Notifications
You must be signed in to change notification settings - Fork 2
Token Management
This topic is also discussed in detail in the following contents:
- Unity Security Authentication and Authorization - Party 2 Slide Deck
- Unity Security Authentication and Authorization - Party 2 Video Recording
- An open standard for authorization
- https://oauth.net/2/
OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token
- An open standard for decentralized authentication
- Supports Federated Identity (login with Google, Facebook, Amazon, Apple, any compatible OIDC provider such as JPL SSO login) https://openid.net/connect/
In Unity, we are using above industry standards followed by many applications/organizations.
A list of OAuth providers available at https://en.wikipedia.org/wiki/List_of_OAuth_providers
| Token Type | Purpose | Expiry |
|---|---|---|
| Access Token | Meant to be read and validated by the API. Can be used to gain access to resources by using them as bearer tokens. Should never be decoded by the client. | Short-lived(Default 60 minutes in Cognito) |
| ID Token | Contains information about what happened when a user authenticatedIntended to be read by the OAuth client. May contain information about the user such as their name or email address, although that is not a requirement of an ID token. Should never be sent to an API. | Short-lived(Default 60 minutes in Cognito) |
| Refresh Token | Used to obtain a renewed access token. | Long-lived (Default 30 days in Cognito) |
Approaches to obtain Cognito tokens are documented in https://github.com/unity-sds/unity-cs/wiki/Getting-Cognito-JWT-Tokens-in-Command-Line
Approach 1: Using Curl Command
Approach 3: Using Python Requests (in Jupyter Notebooks etc.)
Approach 4: Using AWS SDK for Python - Boto3 (in Jupyter Notebooks etc.)
The approaches mentioned in the previous slides can only obtain a Cognito token for a user created in a Cognito user pool (not for users in federated identify providers such as Google, Facebook, JPL SSO)
Try to reuse the tokens received by JupyterHub during the initial login.
- Implement a custom authenticator based on GenericOAuthenticator
- Read the tokens inside the custom authenticator
- Have the spawner set an environment variables in the pre_spawn_start method to pass tokens to the JupyterLab
- Read the tokens by accessing environment variables in Jupyter Notebook
Related GitHub issue: Get access token from Jupyter notebook console after authenticating with Keycloak
Implement a python function called get_tokens() as follows.
IF there is an unexpired token, THEN
Return tokens
ELSE
IF there are NO tokens, THEN
Get new tokens with user credentials
When tokens are received, decode the access token and store (cache) the expiry date (epoch value) in a variable (expiry-date)
IF there is an expired token (detected by checking the expiry-date variable), THEN
IF the refresh token is unexpired, THEN
Get a new access token and ID token using the refresh token
ELSE
Get new tokens with user credentialsTEST CUSTOM FOOTER
TEST