Proposal: Add OAuth2 Support to Auth Service #273
Description
Our current auth service relies on Kerberos principals and ACLs to authenticate and authorise users but we are increasingly encountering applications and services that support only OAuth2 for authorisation (e.g. Grafana). To improve compatibility between these applications and ACS, I propose adding OAuth2 support.
Benefits:
- Enhanced Compatibility: Many modern applications and third-party services support OAuth2. Adding OAuth2 support will enable these applications to integrate seamlessly with ACS.
Proposed Implementation:
-
OAuth2 Authorisation Server:
- Implement an OAuth2 authorisation server within our existing auth service.
- Support the following OAuth2 grant types:
- Authorisation Code Grant
- Implicit Grant
- Resource Owner Password Credentials Grant
- Client Credentials Grant
- Ensure the authorisation server can issue access tokens, refresh tokens, and handle token revocation.
-
Token Handling:
- Implement token generation, validation, and expiration mechanisms.
- Store tokens securely, possibly using encryption and hashing techniques to enhance security.
- Ensure compatibility with JWT (JSON Web Tokens) for token structure and payload.
-
Integration with Existing Authentication:
- Integrate OAuth2 flows with our existing Kerberos-based authentication mechanism.
- Use Kerberos principals to authenticate users during the OAuth2 authorisation process.
- Map ACLs to OAuth2 scopes to ensure appropriate authorisation levels.
-
Documentation and Examples:
- Provide comprehensive documentation on how to integrate an OAuth2 application with ACS.
- Include example code and configurations for common scenarios and applications.
Resources: