A signed URL is a regular URL resource request appended with a special token: a digital signature. Effectively, the capacity to present a valid token for a given resource gives authorization (not to be confused with authentication) to access it.
This concept is widely used for access to Amazon’s S3 buckets.
Quick example:
User Alice requests access for resource identified as XYZ from mydataservice: mydataservice.com/v1/product/xyz?sig=OBDU759H69
Mydataservice validates the digital signature sig=OBDU759H69 with key 'sig' and serves the requested data but how do digital signatures work and how are they used for authorization purposes?
A signed URL code example can be found on github.
A signed URL code example can be found on github.
What is a digital signature?
Signed URLs use the concept of a digital signature.
Signed URLs use the concept of a digital signature.
Digital signatures use the public key cryptosystem in reverse.
A public key cryptosystem work with 2 keys known as the public and private keys. For encryption, a client encrypts the data to send with the public key. Only the receiving party such as an e-mail or banking service decrypts the data with the corresponding private key. The private key should only be in the hands of the receiving parties.
Effectively the private key can be viewed as the service’s identity. Nobody shares their social security number after all!
With that concept in mind, a digital signature reverses the encryption scheme by encrypting with the private key and decrypting with the public key.
Only the service owning the private key can encrypt using the private key. Anyone can decrypt it using the public key.
So much for safely encrypting data and that is precisely the point! This is no longer about encrypting data but about identifying the data.
Using the public key which can successfully decrypt the data, we can safely assume the encrypted data came from the party owning the corresponding private key.
In other words, a private key acts as a unique signature or should I say a digital signature!
What is digital signature based authentication?
Before we answer that question, why even have it in the first place?
Answer: separation of concerns.
We should let data services do what they do best, serve data.
In the old world, a server would authenticate a user (who is the user?) and check authorization (what is the user allowed to access?) for access to a specific resource.
That is a lot of work for a data service. Also, imagine you had to build 50 more data services. So is each one going to implement an authorization check?
Probably not. Most likely, you will create a service which checks the authorization and each data service will call the authorization service upon each request. That’s better but it still sounds like a lot of network chit-chatting.
Let’s take that last implementation a step further. We want to eliminate that extra hop from the data service to the authorization service.
Instead let’s have the client get the authorization directly from the authorization service in the form of a special token and present it to the data service. The data service would only need to check the validity of the token.
So what are the token and its content?
Now that we know how digital signatures work, let's walk through an example of a signed URL.
Now that we know how digital signatures work, let's walk through an example of a signed URL.
Let’s take our earlier resource request:
mydataservice.com/v1/product/xyz?sig=OBDU759H69
In this example, the token would be the resource id XYZ encrypted with the authorization service’s private key. In other words, it is a signature or signed document containing id XYZ.
When presented with the URL in this form, the data service can decrypt the digital signature ‘sig’ using the authorization service’s public key. If the result is equal to the id ‘XYZ’ presented in the url, the client is granted access to the resource.
You can embed anything you want in the digital signature and that includes a TTL so that the token is valid for a certain amount of time.
What more can you do with signed URLs?
You can share it! Let’s say you uploaded a document to your server. You can give temporary access (assuming there is a TTL) to a client by sharing the signed URL.
Please let me know if you any questions!
No comments:
Post a Comment