authentication-facade

williamsburg_facade

On Friday before my winter break, we had a hack day at Zemanta. My hack day project was authentication-facade which aims to be a simple proxy to internal applications with authentication implemented through Google OAuth service. The problem I was trying to solve with authentication-facade is providing access to internal dashboard to our American colleagues without the need for virtual private network (VPN) which is a potential security issue and is non-trivial to set up. Furhermore, many public wireless networks limit traffic to port 80, thus limiting VPN service and preventing me from checking the health of Zemanta's system from my favorite vacation spots. The authentication-facade is composed of two main components. The first component implements authentication of authorized users using Google OAuth protocol. The second component is a proxy/bridge to internal applications by selectively exposing public URLs for resources only available internally. Requiring an explicit mapping for every internal resource that we want to expose makes for some extra work, but it also makes the authentication-facade much more secure.

When an user accesses authentication-facade (always using https!) he is first redirected to Google where he must log in (if he's not logged in already) and grant access to his name and email. Once authenticated, the user accesses resources through publicly exposed URLs. Upon request, the authentication-facade fetches a resource from internal network associated with the public URL. Since some resources (e.g., html, javascript, and css files) include references to other internal resources the authentication-facade replaces every reference to an internal resources with a publicly accessible URL (to prevent unintentional resource exposure, mappings must be defined manually). This provides for cascade loading of resources  and makes it possible to have complete internal applications exposed through authentication-facade even if the internal application depends on internal resources spread over several systems.

Enhanced by Zemanta