Securing the CLI with OAuth2 Machine Authorization

Securing the CLI with OAuth2 Machine Authorization

Most corporations have sturdy exterior safety, e.g. blocking all entry to manufacturing property utilizing a firewall, and requiring a VPN to get “inside” entry to manufacturing environments. Nonetheless, as soon as you’re related to the VPN, the inner techniques are normally very poorly protected, and there may be little to no authentication and authorization for inner instruments and companies.

Two widespread threats to inner safety are compromised worker laptops and supply chain attacks. In these situations, the attacker operates behind the firewall, usually with unrestricted community entry.

Companies with an online ui will be secured utilizing an software load balancer, e.g. an AWS ALB with OIDC, however how do you defend entry to command line interface (CLI) primarily based instruments? Requiring a username and password for each CLI invocation makes it painful to make use of and storing the credentials on the system leaves them huge open in case the pc they reside on is compromised.

The Command Line

Most inner instruments have a CLI to handle the companies which might be used inside the firm and plenty of are poorly protected. What’s the easiest way to authorize CLIs? And how will you tie authorization into the corporate’s SSO?

One choice is to deploy Hashicorp Vault, however that’s lots of setup and upkeep, so except you have got a crew to function it, Vault may not be a very good match.

Another choice is the OAuth2 system authorization grant (RFC8628), which is what this weblog publish will present you easy methods to use.

The OAuth 2.0 system authorization grant is designed for Web-connected units that both lack a browser to carry out a user-agent-based authorization or are enter constrained to the extent that requiring the person to enter textual content to be able to authenticate through the authorization circulation is impractical. It allows OAuth purchasers on such units (like good TVs, media consoles, digital image frames, and printers) to acquire person authorization to entry protected sources by utilizing a person agent on a separate system.

When you ever used the AWS CLI with Single SignOn, that is what it does.

OAuth2 Machine Circulation

The Machine Authorization Circulation comprises two totally different paths; one happens on the system requesting authorization (the CLI) and the opposite happens in a browser. The browser circulation path, whereby a tool code is sure to the session within the browser, happens as a parallel path half within the system circulation path.


Implementing the OAuth Machine Circulation

Now we’ll take a look at what the above sequence diagram appears like when it’s applied.

The interior CLI instrument at Rockset is known as rsctl and is written in go. Step one is to provoke the system circulation to get a JWT entry token.

$ rsctl login
Making an attempt to robotically open the SSO authorization web page in your default browser.
If the browser doesn't open otherwise you want to use a special system to authorize this request, open the next URL:

Then enter the code:

Efficiently logged in!

If you’re utilizing the CLI after logging in to a different laptop, e.g. ssh:ing to a Linux server, and you employ macOS, you possibly can configure iTerm to robotically open the hyperlink utilizing a “Run command” trigger.

The web page that the hyperlink takes you to appears like this:

Device Confirmation

After you have confirmed that the “person code” is appropriate (matches with what the CLI exhibits), and also you click on “Verify”, it would take you thru the conventional OAuth2 login process (which in our case requires a username, password and {hardware} token).

As soon as the authentication is accomplished, you may be redirected and introduced with a dialog just like the one under, and you may shut the browser window.

Device Confirmation

The CLI has now obtained a jwt access token which is legitimate for numerous hours and is used to authenticate by way of inner companies. The token will be cached on disk and reused between CLI invocations in the course of its lifetime.

Once you concern a brand new rsctl command, it would learn the cached Entry Token from disk, and use it to authenticate with the inner APIs.

Underneath the Hood

We’ve applied and open sourced a go module to carry out the system authorization circulation ( It helps each Auth0 and Okta as OAuth suppliers.

Pattern Code

The next code is accessible within the example directory within the git repository.

Embedded content:

We now have a JWT token, which can be utilized to authenticate REST calls by setting the Authorization header to Bearer: <jwt entry token>

Embedded content:

It’s now as much as the receiving finish to validate the bearer token, which will be accomplished utilizing an AWS ALB with OIDC authentication or a provider specific API from the API server.

Offline Validation

Another choice for entry token validation is “offline validation”. In offline validation, the API server will get the general public key used to signal the JWT token from the supplier (and caches the general public key) and performs the validation within the API server, as a substitute of constructing a validation request to the supplier.

Residual Threat

One factor this doesn’t defend in opposition to is an attacker with a foothold on the pc that executes the CLI. They’ll simply wait till the person has accomplished the authentication, and they’ll then have the ability to act because the person in the course of the entry token.

To mitigate this danger, you possibly can require a one time password (OTP), e.g. a Yubikey, each time the person performs a privileged motion.

$ rsctl delete useful resource foobar
please enter yubikey OTP: ccccccvfbbcddjtuehgnfrbtublkuufbgeebklrubkhf
useful resource foobar deleted

Closing Ideas

On this weblog, we’ve got proven how we constructed and open-sourced a go module to safe the Command Line Interface (CLI) utilizing an OAuth2 system authorization circulation that helps each Auth0 and Okta SSO suppliers. You possibly can add this go module to your inner instruments and scale back inner safety threats.

Leave a Reply

Your email address will not be published. Required fields are marked *