The security concept is separated into two parts: the vulnerabilities of the Flarecast infrastructure and the protection of confidential resources.
Infrastructure
...
vulnerabilities
The first part concerns attacks against the infrastructure from external or internal sources. This includes any kind of vectors including data manipulation as well as service disruption.
...
Authentification Mechanism | Used By | Description | Protection Level |
---|---|---|---|
Session Login | End-Users | Restricts the permission on specific routes by validating the session ID of a request. If an end-user does not hold an approved session ID he has to authenticate himself over a login page with a username and password. If the login was successful the end-user's session ID becomes active. | Web pages with restricted functions. |
oAuth2 | Applications | Restricts the permission on specific routes by validating an access token within the request's header. If an application does not hold an active access token it has to request a token from the oAuth2 authentification server. Each route is tagged with one or multiple 'scopes' which groups protected resources. An access token is related with a list of scopes and only provides access to correspondingly tagged resources. | Restricted REST resources. |
While it is convinient for an end-user to login
Depending on the use-case oAuth2 provides four authentication methods, or grant types, which are given in the following table. Hereby, an application, called client, can request an access token for a specific scope which is
Method | Description | Parameters | Example |
---|---|---|---|
Authorization Code | An end-user authorizes a specific application,called client, for a specific set of resources. The application can then request the access token provided by the end-user. | scope: list of strings | http://localhost:8002/oauth/token?grant_type=authorization_code&scope=read&code=1234&client_id=1234&redirect_uri=http://localhost:8002/ui |
* The redirect_uri is validated by oAuth2 due open redirection vulnerabilities. (see previous section)
Each method uses individual parameters which are described as follows:
Technical Details
flask-login, flask-oauthlib
which file contains what? parametrization