Dashboard¶
The Anbox Cloud Dashboard (dashboard) is using cryptographic technology for:
TLS transport encryption
Registration of new users
User authentication
Mutual TLS based authentication
TLS transport encryption¶
All network endpoints exposed by the dashboard are secured with TLS using an 4096 bit RSA key. The dashboard strictly enforces TLS 1.2 or later and does not provide backward compatibility with older TLS versions.
Registration of new users¶
For registering a new user, a token is generated using the PyJWT library.
The token includes the user’s email and the token’s validity period as payload data. This
payload
dictionary is passed to theencode()
function from the PyJWT library.A secret key is used to sign the token. The HMAC SHA-256 algorithm is used in the signing process.
The
encode()
function returns a JWT, which is a string representing the encoded and signed payload data.
The dashboard uses PyJWT to decode the token after it has been presented by the user, verifies its validity and checks its expiration:
The token, in the form of a JWT string, is passed to the
decode()
function from the PyJWT library.The secret key is used to verify the token’s signature and the expected signing algorithm for the token is HMAC SHA-256.
The
decode()
function verifies the token’s signature using the secret key and algorithm. If verification is successful, it decodes the token and returns the original payload dictionary.
User authentication¶
When authenticating with an external identity provider, the following actions are performed:
- Retrieving ID Tokens
ID tokens, which contain the user’s email and full name, are obtained from the authentication server.
- Decoding Unverified Headers
Initially, the
get_unverified_header()
function frompython-jose
is used to decode the token’s unverified headers and extract the key ID.- Fetching and Caching JWKS
The JSON Web Key Set (JWKS) is fetched from the JWKS endpoint and is cached. For subsequent requests, the cached JWKS is checked for a key matching the key ID in the token. If the key is not found in the cache, the JWKS is fetched again.
- Decoding the Token
The
decode()
function frompython-jose
is used to decode the token. This process uses the JWKS containing the key ID and verifies the audience.
Mutual TLS based authentication¶
The dashboard uses mutual TLS authentication to establish a trusted TLS communication channel with the Anbox management Service (AMS) to communicate with the AMS API. To do this, the dashboard generates a TLS certificate using a 4096 bit RSA key.
Packages used¶
python-jose
, supplied by PyPI