Remote IdentityWhen fpm serve is running with on remote, it needs to get all the identities of the user who is currently making the HTTP request to decide if the user has access or not.
Note: We know if fpm serve is running in remote if remote cargo feature is enabled.
On local, for testing, fpm will find the user (who is making the http request) identities via a cookie named identities. But this is not secure as end user can modify the cookies.
On remote, we will have a cookie named sid (session id). If the cookie is present, fpm will make a HTTP request to identity service to fetch the identity.
When fpm serve is running with on remote, it needs to get all the identities of the user who is currently making the HTTP request to decide if the user has access or not.
Note: We know if fpm serve is running in remote if remote cargo feature is enabled.
On local, for testing, fpm will find the user (who is making the http request) identities via a cookie named identities. But this is not secure as end user can modify the cookies.
On remote, we will have a cookie named sid (session id). If the cookie is present, fpm will make a HTTP request to identity service to fetch the identity.
Identity ServiceIdentity service is responsible for logging user in, and managing all the identities of the user. FPM and identity service communicates via the sid cookie.
TODO: fpm will find the URL of identity service using FPM_IDENTITY environment variable.
FPM will call /get-identities/ API on identity service, which will return the list of identities.
Identity service is responsible for logging user in, and managing all the identities of the user. FPM and identity service communicates via the sid cookie.
TODO: fpm will find the URL of identity service using FPM_IDENTITY environment variable.
FPM will call /get-identities/ API on identity service, which will return the list of identities.
/get-identities/?sid=<sid>&github=abrarnitk{ "user-identities": [ { "email": "yo@y.com" }, { "github": "abrarnitk" } ] }
Access ControlOnce fpm gets the identities of user corresponding to current HTTP request, it will then look at user group definitions in FPM.ftd and find all the groups the the current user belongs to.
fpm gets the identities of user corresponding to current HTTP request, it will then look at user group definitions in FPM.ftd and find all the groups the the current user belongs to.-- import: fpm -- fpm.package: amitu.com -- fpm.user-group: FifthTry People id: fifthtry-people email: yo@y.com github-team: FifthTry/everyone
Then based on email: yo@y.com, we know the user belongs to fifthtry-people group. The other identity, github: foo did not match any groups. The maker of http request belongs to only one group.
Now we will look at the sitemap, find the readers of the current URL that is requested. If the user belongs to a group that has read access to current URL the user can read it, else fpm will return 401.
Optimization: If URL Is World Readable Then We Won’t Read sidTODO: sid cookie and the identity stuff is only needed to see if a private URL is readable by the specific user making request. If the URL is public, readable by the world, then there is no need to do any checks.
sidsid cookie and the identity stuff is only needed to see if a private URL is readable by the specific user making request. If the URL is public, readable by the world, then there is no need to do any checks.