• This repository has been archived on 11/Jan/2023
  • Stars
    star
    119
  • Rank 281,813 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 11 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a public key backed client/server authentication system

crtauth - a public key backed client/server authentication system

The latest version of this software can be fetched from GitHub.

crtauth is a system for authenticating a user to a centralized server. The initial use case is to create a convenient authentication for command line tools that interacts with a central server without resorting to authentication using a shared secret, such as a password.

The code available in this project is written in Python. There is also a Java version, implementing the same protocol available at https://github.com/spotify/crtauth-java

crtauth leverages the public key cryptography mechanisms that is commonly used by ssh(1) to authenticate users to remote systems. The goal of the system is to make the user experience as seamless as possible using the ssh-agent program to manage access to encrypted private keys without asking for a password each time the command is run

The name of the project is derived from the central concepts challenge, response, token and authentication, while at the same time reminding us old timers of the soon to be forgotten cathode ray tube screen technology.

Using the library

For the server side functionality there is a high level API available in the wsgi module. It provides wsgi middleware functionality that can be used to protect a service using the crtauth authentication mechanism. hello_world_server gives a minimal example on how this API is used. If crtauth is to be used in a non-WSGI environment, there is a lower level API available in the server module.

For clients an authentication plugin for Python Requests is available. An example use of the client module can be seen in the hello_world_client example.

Technical details

This section gives big picture overview of how crtauth operates. For the specifics of the protocol and it's messages, please see the specification.

Command line tools that connect to a central server to perform some action or fetch some information can be a very useful thing. crtauth is currently specified to work with HTTP as transport, but it is entirely possible to re-use that exposes information about servers using an HTTP-based API.

The basic operation of the protocol follows the following pattern

  • The client requests a challenge from the server, providing a username.
  • The server creates a challenge that gets sent back to the client.
  • The client signs the challenge and returns the response to the server.
  • The server verifies that the response is valid and if so it issues an access token to the client.
  • The access token is provided to when calling protected services.
  • The server validates that the token is valid and if so, provides access to the client.

The that implement this mechanism has two parts, one for the server and one for the client. A server that wants to authenticate clients instantiates an AuthServer instance (defined in the crtauth.server module) with a secret and a KeyProvider instance as constructor arguments. The very simple FileKeyProvider reads public keys from a filesystem directory using a filename pattern derived from the username of the connecting user.

Once there is an AuthServer instance, it can generate a challenge string for a specific user using the create_challenge() method.

The client part of the mechanism is also contained in the crtauth.server module, in the create_response() function. It takes a challenge string provided by the server and returns a response string suitable for sending back to the server.

The server in turn validates the response from the client and if it checks out it returns an access token that can be used by the client to make authenticated requests. This validation is done in the create_token() method of the AuthServer class.

For subsequent calls to protected services, the provided access token can be verified using the validate_token() method of the AuthServer instance.

SSH keys from LDAP

This library also provides functionality to extract public ssh keys for connecting users using an LDAP directory. To use this functionality, which is available in the ldap_key_provider.py module, the python-ldap module needs to be installed.

License

crtauth is free software, this code is released under the Apache Software License, version 2. The original code is written by Noa Resare with contributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar Kreitz

All code is Copyright (c) 2011-2017 Spotify AB

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,089
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
12,458
star
3

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
4

pedalboard

πŸŽ› πŸ”Š A Python library for working with audio.
C++
4,748
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,447
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
2,759
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,730
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED – Spotify’s component-driven UI framework for iOS
Objective-C
1,864
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,590
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,425
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,397
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS app’s lifecycle, and this is ours.
Objective-C
1,244
star
18

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,196
star
19

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,143
star
20

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,094
star
21

voyager

πŸ›°οΈ Voyager is an approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,090
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,070
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➑️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
859
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
825
star
28

XCRemoteCache

Swift
816
star
29

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
624
star
30

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
624
star
31

ios-sdk

Spotify SDK for iOS
Objective-C
609
star
32

JniHelpers

Tools for writing great JNI code
C++
584
star
33

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
583
star
34

reactochart

πŸ“ˆ React chart component library πŸ“‰
JavaScript
546
star
35

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
539
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
517
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
481
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
467
star
39

android-sdk

Spotify SDK for Android
HTML
440
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
398
star
41

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
382
star
42

completable-futures

Utilities for working with futures in Java 8
Java
378
star
43

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
344
star
44

ratatool

A tool for data sampling, data generation, and data diffing
Scala
334
star
45

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
299
star
46

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
286
star
47

trickle

A small library for composing asynchronous code
Java
284
star
48

coordinator

A visual interface for turning an SVG into XY coΓΆrdinates.
HTML
282
star
49

pythonflow

🐍 Dataflow programming for python.
Python
279
star
50

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
267
star
51

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
52

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
242
star
53

ios-style

Guidelines for iOS development in use at Spotify
240
star
54

cassandra-reaper

Software to run automated repairs of cassandra
234
star
55

confidence

Python
232
star
56

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
231
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
218
star
58

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
209
star
59

linux

Spotify's Linux kernel for Debian-based systems
C
203
star
60

git-test

test your commits
Shell
202
star
61

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
201
star
62

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
63

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
194
star
64

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
192
star
65

spotify-json

Fast and nice to use C++ JSON library.
C++
188
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
181
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
178
star
68

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
165
star
69

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
70

dataenum

Algebraic data types in Java.
Java
159
star
71

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
157
star
72

magnolify

A collection of Magnolia add-on modules
Scala
157
star
73

gcp-audit

A tool for auditing security properties of GCP projects.
Python
156
star
74

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
154
star
75

flo

A lightweight workflow definition library
Java
146
star
76

folsom

An asynchronous memcache client for Java
Java
144
star
77

should-up

Remove most of the "should" noise from your tests
JavaScript
143
star
78

missinglink

Build time tool for detecting link problems in java projects
Java
141
star
79

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
141
star
80

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
139
star
81

proto-registry

An implementation of the Protobuf Registry API
TypeScript
139
star
82

futures-extra

Java library for working with Guava futures
Java
136
star
83

annoy-java

Approximate nearest neighbors in Java
Java
134
star
84

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
132
star
85

docker-stress

Simple docker stress test and monitoring tools
Python
124
star
86

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
123
star
87

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
120
star
88

sparkey-java

Java implementation of the Sparkey key value store
Java
117
star
89

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
117
star
90

rspec-dns

Easily test your DNS with RSpec
Ruby
108
star
91

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK ➑️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
108
star
92

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
106
star
93

realbook

Easier audio-based machine learning with TensorFlow.
Python
106
star
94

github-java-client

A Java client to Github API
Java
105
star
95

gimme

Creating time bound IAM Conditions with ease and flair
Python
103
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

lighthouse-audit-service

TypeScript
93
star
98

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
90
star
100

spotify-js-challenge

JavaScript
87
star