• This repository has been archived on 11/Jan/2023
  • Stars
    star
    118
  • Rank 293,014 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a public key backed client/server authentication system

crtauth - a public key backed client/server authentication system

The latest version of this software can be fetched from GitHub.

crtauth is a system for authenticating a user to a centralized server. The initial use case is to create a convenient authentication for command line tools that interacts with a central server without resorting to authentication using a shared secret, such as a password.

The code available in this project is written in Python. There is also a Java version, implementing the same protocol available at https://github.com/spotify/crtauth-java

crtauth leverages the public key cryptography mechanisms that is commonly used by ssh(1) to authenticate users to remote systems. The goal of the system is to make the user experience as seamless as possible using the ssh-agent program to manage access to encrypted private keys without asking for a password each time the command is run

The name of the project is derived from the central concepts challenge, response, token and authentication, while at the same time reminding us old timers of the soon to be forgotten cathode ray tube screen technology.

Using the library

For the server side functionality there is a high level API available in the wsgi module. It provides wsgi middleware functionality that can be used to protect a service using the crtauth authentication mechanism. hello_world_server gives a minimal example on how this API is used. If crtauth is to be used in a non-WSGI environment, there is a lower level API available in the server module.

For clients an authentication plugin for Python Requests is available. An example use of the client module can be seen in the hello_world_client example.

Technical details

This section gives big picture overview of how crtauth operates. For the specifics of the protocol and it's messages, please see the specification.

Command line tools that connect to a central server to perform some action or fetch some information can be a very useful thing. crtauth is currently specified to work with HTTP as transport, but it is entirely possible to re-use that exposes information about servers using an HTTP-based API.

The basic operation of the protocol follows the following pattern

  • The client requests a challenge from the server, providing a username.
  • The server creates a challenge that gets sent back to the client.
  • The client signs the challenge and returns the response to the server.
  • The server verifies that the response is valid and if so it issues an access token to the client.
  • The access token is provided to when calling protected services.
  • The server validates that the token is valid and if so, provides access to the client.

The that implement this mechanism has two parts, one for the server and one for the client. A server that wants to authenticate clients instantiates an AuthServer instance (defined in the crtauth.server module) with a secret and a KeyProvider instance as constructor arguments. The very simple FileKeyProvider reads public keys from a filesystem directory using a filename pattern derived from the username of the connecting user.

Once there is an AuthServer instance, it can generate a challenge string for a specific user using the create_challenge() method.

The client part of the mechanism is also contained in the crtauth.server module, in the create_response() function. It takes a challenge string provided by the server and returns a response string suitable for sending back to the server.

The server in turn validates the response from the client and if it checks out it returns an access token that can be used by the client to make authenticated requests. This validation is done in the create_token() method of the AuthServer class.

For subsequent calls to protected services, the provided access token can be verified using the validate_token() method of the AuthServer instance.

SSH keys from LDAP

This library also provides functionality to extract public ssh keys for connecting users using an LDAP directory. To use this functionality, which is available in the ldap_key_provider.py module, the python-ldap module needs to be installed.

License

crtauth is free software, this code is released under the Apache Software License, version 2. The original code is written by Noa Resare with contributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar Kreitz

All code is Copyright (c) 2011-2017 Spotify AB

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,340
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
12,751
star
3

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
4

pedalboard

๐ŸŽ› ๐Ÿ”Š A Python library for audio.
C++
4,907
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,486
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
2,972
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,737
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED โ€“ Spotifyโ€™s component-driven UI framework for iOS
Objective-C
1,863
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,601
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,426
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,401
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS appโ€™s lifecycle, and this is ours.
Objective-C
1,243
star
18

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,213
star
19

voyager

๐Ÿ›ฐ๏ธ An approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,175
star
20

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,149
star
21

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,116
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,094
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API โžก๏ธ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
858
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
831
star
28

XCRemoteCache

Swift
824
star
29

ios-sdk

Spotify SDK for iOS
Objective-C
627
star
30

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
627
star
31

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
626
star
32

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
588
star
33

JniHelpers

Tools for writing great JNI code
C++
587
star
34

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
552
star
35

reactochart

๐Ÿ“ˆ React chart component library ๐Ÿ“‰
JavaScript
551
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
525
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
483
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
465
star
39

android-sdk

Spotify SDK for Android
HTML
449
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
396
star
41

completable-futures

Utilities for working with futures in Java 8
Java
382
star
42

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
381
star
43

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
346
star
44

ratatool

A tool for data sampling, data generation, and data diffing
Scala
337
star
45

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
309
star
46

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
290
star
47

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
287
star
48

trickle

A small library for composing asynchronous code
Java
284
star
49

coordinator

A visual interface for turning an SVG into XY coรถrdinates.
HTML
283
star
50

pythonflow

๐Ÿ Dataflow programming for python.
Python
281
star
51

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
266
star
52

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
53

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
242
star
54

ios-style

Guidelines for iOS development in use at Spotify
241
star
55

confidence

Python
238
star
56

cassandra-reaper

Software to run automated repairs of cassandra
235
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
219
star
58

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
209
star
59

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
206
star
60

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
204
star
61

linux

Spotify's Linux kernel for Debian-based systems
C
204
star
62

git-test

test your commits
Shell
202
star
63

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
64

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
193
star
65

spotify-json

Fast and nice to use C++ JSON library.
C++
191
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
188
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
180
star
68

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
69

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
162
star
70

dataenum

Algebraic data types in Java.
Java
161
star
71

magnolify

A collection of Magnolia add-on modules
Scala
158
star
72

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
157
star
73

gcp-audit

A tool for auditing security properties of GCP projects.
Python
156
star
74

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
155
star
75

should-up

Remove most of the "should" noise from your tests
JavaScript
150
star
76

flo

A lightweight workflow definition library
Java
146
star
77

folsom

An asynchronous memcache client for Java
Java
145
star
78

missinglink

Build time tool for detecting link problems in java projects
Java
142
star
79

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
140
star
80

proto-registry

An implementation of the Protobuf Registry API
TypeScript
140
star
81

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
138
star
82

futures-extra

Java library for working with Guava futures
Java
135
star
83

annoy-java

Approximate nearest neighbors in Java
Java
134
star
84

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
133
star
85

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
129
star
86

docker-stress

Simple docker stress test and monitoring tools
Python
125
star
87

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
124
star
88

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
118
star
89

sparkey-java

Java implementation of the Sparkey key value store
Java
117
star
90

github-java-client

A Java client to Github API
Java
114
star
91

realbook

Easier audio-based machine learning with TensorFlow.
Python
109
star
92

rspec-dns

Easily test your DNS with RSpec
Ruby
107
star
93

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK โžก๏ธ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
107
star
94

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
106
star
95

gimme

Creating time bound IAM Conditions with ease and flair
Python
103
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

lighthouse-audit-service

TypeScript
93
star
98

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
91
star
100

spotify.github.io

Showcase site for hand-picked open-source projects by Spotify
HTML
88
star