Skip to content

viaacode/ticket-service

BranchesTags

Repository files navigation

ticket-service

Ticket-service generates authentication tokens. Constructs JWT authentication tokens. A typical use case is as request parameter or authentication header to assure that the request has been generated by a trusted app within a valid user session for a given url, referrer and client ip.

The token contains:

  • an application id (aud)
  • an expiration date (exp)
  • a name, typically the id or url of the object (sub)
  • the ip address of the client (ip)
  • the HTTP referer (referer)
  • the range within the object to which access is granted (fragment)

The token is formatted as a JSON Web token (JWT).

{
    "aud": "<application id>",
    "exp": "<expiration time>",
    "sub": "<name>",
    "ip": "<clientip>",
    "referer": "<HTTP referer>",
    "fragment" : {
         "start": "<fragment start>",
         "end": "<fragment end>"
    }
}

Examples

Request

curl -X GET --key mycert.key --cert mycert.cert -d '{
  "app": "app1",
  "referer": https://example.org/media/",
  "client": "91.183.203.23"
  }' http://api.example.org/ticket/media/browse.mp4

Response

{
  "jwt": "eyJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDIifQ.eyJhdWQiOiJhcHAxIiwiZXhwIjoxNTYyNTgwOTI4LCJzdWIiOiJtZWRpYS9icm93c2UubXA0IiwiaXAiOiI5MS4xODMuMjAzLjIzIiwicmVmZXJlciI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvbWVkaWEvIiwiZnJhZ21lbnQiOnsic3RhcnQiOiIwMDowNDoyNy4wMDAiLCJlbmQiOiIwMDowNTowNi4wMDAifX0......",
  "context": {
    "aud": "app1",
    "exp": 1562580928,
    "sub": "media/browse.mp4",
    "ip": "91.183.203.23",
    "referer": "https://example.org/media/",
    "fragment": {
      "start": "00:04:27.000",
      "end": "00:05:06.000"
    }
  }
}

Usage

The ticket attributes can be given in a JSON formatted request body, as request uri parameters or a combination of both. If the app or the name attributes are missing from the request, they are deduced from the certificate's first O attribute and the request uri respectively.

referer is optional.

Access to the service requires a signed client certificate with a DC attribute ticket. The O attributes of the subject restrict the mediafiles for which a ticket will be generated. For example, the following certificate subject will allow to generate tokens for content owned by org1.

DC=ticket,O=org1,CN=John (jwt),[email protected]

Requests for content not owned by org1 will invoke a HTTP 403 response.

(The code assumes that the client certificate is verified upstream, injecting the certificate subject in a header.)

About

create authentication tokens

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

1 fork
Report repository

Releases 1

prd Latest
Oct 20, 2021

Packages

No packages published

Contributors 2

  •  
  •  

Languages