Add stateful introspection checking for front-end tokens#47
Open
jonathanmelitski wants to merge 5 commits intomasterfrom
Open
Add stateful introspection checking for front-end tokens#47jonathanmelitski wants to merge 5 commits intomasterfrom
jonathanmelitski wants to merge 5 commits intomasterfrom
Conversation
jonathanmelitski
requested review from
dr-Jess
and removed request for
dr-Jess
jonathanmelitski
force-pushed
the
jon0/platform-introspect
branch
from
8a878ba to
5a40757
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Platform supports token introspection. This means that, given a stateful token granted by platform, we can verify the validity of this token against platform. Further, since mobile backend requires tokens to have the
introspectionscope, this does not require a separate Platform application. In other words, tokens can be used to authenticate a request used to verify themselves.This is valuable because access tokens are not yet stateless. This PR checks first to see if the token given to analytics can be verified as a B2B token, then checks if Platform can validate the token. This makes it so frontend applications, like Penn Mobile iOS/Android, can use analytics by passing in their access token.
Concern: we were loosely concerned about giving clients free reign over analytics. We could consider the use of Apple's DeviceCheck framework (or Android's Play Integrity framework) to verify that these requests are actually coming from a verified source (not Postman lol).