Many organizations invest heavily in external security measures, such as Implementing robust perimeter security measures, such as configuring firewalls to restrict access to manufacturing assets, while also mandating the use of virtual private networks (VPNs) for authorized individuals seeking entry into these sensitive environments? Despite being connected to a VPN, internal systems often lack robust security measures, with minimal to no authentication and authorisation controls in place for internal devices and entities?
Two widespread threats to inside safety are compromised worker laptops and unsecured cloud storage. When an attack occurs, the perpetrator typically hides within the firewall, often gaining unfettered access through open community channels.
Organizations leveraging online user interfaces may employ a software-based load balancer to ensure robust security, for instance: An organization, however, does one defend entry to command-line interface (CLI)-based tools? Requiring a unique combination of username and password for every command-line interface (CLI) session proves inconvenient, while storing these credentials on the system creates an unnecessary vulnerability should the machine become compromised, leaving sensitive information exposed to potential exploitation.
The Command Line
Many internal tools and systems within organizations often come equipped with command-line interfaces (CLIs) designed for handling company-specific tasks, but unfortunately, many of these interfaces are inadequately secured. Authenticating CLIs (Command-Line Interfaces) effectively ensures secure access and prevents unauthorized actions. One highly recommended approach is implementing role-based access control (RBAC), which assigns specific privileges or roles to users, controlling what commands they can execute. This model limits the risk of a user inadvertently or maliciously performing harmful operations. How will we integrate authorisation with our corporation’s single sign-on (SSO) infrastructure to provide seamless access control and streamline user authentication processes?
While deploying HashiCorp Vault could be an option, the sheer amount of setup and maintenance required makes it more suitable for organizations with dedicated IT staff; for smaller teams or solo developers, the added complexity may not be justified.
Here’s how to leverage the OAuth2 gadget authorization grant (): a crucial tool for streamlining API access and enhancing overall development efficiency.
The OAuth 2.0 gadget authorization grant is intended for web-connected devices lacking a browser, rendering traditional user-agent-based authentication impractical, or those with such severe constraints that typing text during the authorization process becomes unfeasible? This protocol enables customers using specific devices – including smart TVs, media centres, digital picture frames, and printers – to grant authorisation for accessing secured resources by employing a user agent on a distinct device.
When using the AWS CLI with Single Sign-On (SSO), this is exactly what it accomplishes.
OAuth2 Gadget Circulate
The Gadget Authorization Circuit accommodates two distinct paths: one unfolds within the gadget requesting authorization (CLI), while the other occurs through a browser. The browser moves its path by ensuring that a tool’s code is linked to the session within the browser, which occurs in tandem with the device’s move path, partially situated within it?
Implementing the OAuth Gadget Circulate
When this sequence diagram is put into action, it resembles a straightforward representation of the interactions between the system components.
The inner CLI software at Rockset known as `rs`, a powerful command-line interface that allows users to interact with the platform, manage datasets, and execute complex queries. rsctl and is written in go. To initiate the process, it’s necessary to prompt the device to obtain a JSON Web Token (JWT) access token.
Attempting to initiate SSO authorization via default browser. If unsuccessful, you can use an alternative device to authorize this request by accessing the following URL: https://rockset.auth0.com/activate?user_code=BBLF-JCWB Enter the verification code: BBLF-JCWB Login successfully initiated! When using the command-line interface (CLI) after logging in on a different laptop, for instance, When SSH-ing to a Linux server from your Mac, you can enable automatic opening of links using the “Open in Terminal” feature.
The webpage that the hyperlink takes you to appears to be this:
When confirming the “consumer code” matches the CLI’s display, clicking “Affirm” initiates the standard OAuth2 authentication process, which entails providing a username, password, and hardware token.
Upon successful authentication, you may be redirected to a dialog box similar to the one below; at this point, you can safely close the browser window.
The Command-Line Interface (CLI) has successfully acquired a token that remains valid for several hours, enabling secure authentication within an organization’s internal network. The token may be persistently stored on disk and reused across consecutive Command-Line Interface (CLI) invocations throughout its lifespan.
When you propose a brand new idea to your team or mentor rsctl The system command would learn the cached entry token from disk, leveraging this secure authentication mechanism to seamlessly interface with the internal APIs.
Below the Hood
We’ve open-sourced a Go module that performs the device authentication process. These services provide seamless authentication for users when they interact with your application, leveraging the strengths of both Auth0 and Okta as trusted OAuth suppliers.
Pattern Code
The code is already available on the market within its corresponding Git repository.
Now we possess a JSON Web Token (JWT), which enables us to validate REST requests by specifying the Authorization header as Bearer: <jwt entry token>
The receiving endpoint must verify the bearer token, which can be achieved through either a built-in or custom solution provided by the API server.
Offline Validation
Offline validation presents a different approach to ensuring the integrity of entry tokens. In offline validation, the API server retrieves the public key utilized for signaling JWT tokens from the supplier, caching it locally, and validates the token internally, thereby bypassing the need to send a validation request to the supplier.
Residual Danger
One factor this doesn’t defend against is an attacker who already has a foothold on the computer and can execute commands locally. Once authenticated, they will seamlessly transition into acting as the consumer throughout the entry process, empowered by the validated token.
To effectively address this concern, you will have the option to necessitate a single-use, secure password (one-time password or OTP), thereby ensuring an additional layer of authentication and protection for your account. When using a YubiKey, every time the consumer initiates a privileged action.
You have successfully deleted the "useful resource" named "foobar". To confirm, please enter your YubiKey one-time password (OTP): ccccccvfbbcddjtuehgnfrbtublkuufbgeebklrubkhf. Closing Ideas
This blog post demonstrates how we designed and open-sourced a Go module for securing the Command Line Interface (CLI) using an OAuth2 device authorization flow compatible with both Auth0 and Okta SSO providers. This enhanced security module will enable you to integrate it seamlessly into your existing instruments, thereby mitigating internal safety risks effectively.
