• This repository has been archived on 11/Jan/2023
  • Stars
    star
    118
  • Rank 299,923 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 12 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a public key backed client/server authentication system

crtauth - a public key backed client/server authentication system

The latest version of this software can be fetched from GitHub.

crtauth is a system for authenticating a user to a centralized server. The initial use case is to create a convenient authentication for command line tools that interacts with a central server without resorting to authentication using a shared secret, such as a password.

The code available in this project is written in Python. There is also a Java version, implementing the same protocol available at https://github.com/spotify/crtauth-java

crtauth leverages the public key cryptography mechanisms that is commonly used by ssh(1) to authenticate users to remote systems. The goal of the system is to make the user experience as seamless as possible using the ssh-agent program to manage access to encrypted private keys without asking for a password each time the command is run

The name of the project is derived from the central concepts challenge, response, token and authentication, while at the same time reminding us old timers of the soon to be forgotten cathode ray tube screen technology.

Using the library

For the server side functionality there is a high level API available in the wsgi module. It provides wsgi middleware functionality that can be used to protect a service using the crtauth authentication mechanism. hello_world_server gives a minimal example on how this API is used. If crtauth is to be used in a non-WSGI environment, there is a lower level API available in the server module.

For clients an authentication plugin for Python Requests is available. An example use of the client module can be seen in the hello_world_client example.

Technical details

This section gives big picture overview of how crtauth operates. For the specifics of the protocol and it's messages, please see the specification.

Command line tools that connect to a central server to perform some action or fetch some information can be a very useful thing. crtauth is currently specified to work with HTTP as transport, but it is entirely possible to re-use that exposes information about servers using an HTTP-based API.

The basic operation of the protocol follows the following pattern

  • The client requests a challenge from the server, providing a username.
  • The server creates a challenge that gets sent back to the client.
  • The client signs the challenge and returns the response to the server.
  • The server verifies that the response is valid and if so it issues an access token to the client.
  • The access token is provided to when calling protected services.
  • The server validates that the token is valid and if so, provides access to the client.

The that implement this mechanism has two parts, one for the server and one for the client. A server that wants to authenticate clients instantiates an AuthServer instance (defined in the crtauth.server module) with a secret and a KeyProvider instance as constructor arguments. The very simple FileKeyProvider reads public keys from a filesystem directory using a filename pattern derived from the username of the connecting user.

Once there is an AuthServer instance, it can generate a challenge string for a specific user using the create_challenge() method.

The client part of the mechanism is also contained in the crtauth.server module, in the create_response() function. It takes a challenge string provided by the server and returns a response string suitable for sending back to the server.

The server in turn validates the response from the client and if it checks out it returns an access token that can be used by the client to make authenticated requests. This validation is done in the create_token() method of the AuthServer class.

For subsequent calls to protected services, the provided access token can be verified using the validate_token() method of the AuthServer instance.

SSH keys from LDAP

This library also provides functionality to extract public ssh keys for connecting users using an LDAP directory. To use this functionality, which is available in the ldap_key_provider.py module, the python-ldap module needs to be installed.

License

crtauth is free software, this code is released under the Apache Software License, version 2. The original code is written by Noa Resare with contributions from John-John Tedro, Erwan Lemmonier, Martin Parm and Gunnar Kreitz

All code is Copyright (c) 2011-2017 Spotify AB

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,796
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
13,197
star
3

pedalboard

🎛 🔊 A Python library for audio.
C++
5,147
star
4

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,510
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
3,184
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,756
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED – Spotify’s component-driven UI framework for iOS
Objective-C
1,861
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,614
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,431
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,399
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS app’s lifecycle, and this is ours.
Objective-C
1,243
star
18

voyager

🛰️ An approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,242
star
19

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,223
star
20

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,178
star
21

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,130
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,102
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
856
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
836
star
28

XCRemoteCache

Swift
830
star
29

ios-sdk

Spotify SDK for iOS
Objective-C
643
star
30

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
630
star
31

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
627
star
32

JniHelpers

Tools for writing great JNI code
C++
593
star
33

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
590
star
34

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
557
star
35

reactochart

📈 React chart component library 📉
JavaScript
552
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
535
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
488
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
467
star
39

android-sdk

Spotify SDK for Android
HTML
457
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
395
star
41

completable-futures

Utilities for working with futures in Java 8
Java
393
star
42

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
383
star
43

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
356
star
44

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
347
star
45

ratatool

A tool for data sampling, data generation, and data diffing
Scala
338
star
46

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
324
star
47

coordinator

A visual interface for turning an SVG into XY coördinates.
HTML
288
star
48

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
287
star
49

trickle

A small library for composing asynchronous code
Java
285
star
50

pythonflow

🐍 Dataflow programming for python.
Python
285
star
51

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
266
star
52

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
53

confidence

Python
254
star
54

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
243
star
55

ios-style

Guidelines for iOS development in use at Spotify
243
star
56

cassandra-reaper

Software to run automated repairs of cassandra
235
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
220
star
58

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
216
star
59

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
213
star
60

linux

Spotify's Linux kernel for Debian-based systems
C
208
star
61

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
206
star
62

git-test

test your commits
Shell
203
star
63

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
64

spotify-json

Fast and nice to use C++ JSON library.
C++
194
star
65

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
193
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
189
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
185
star
68

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
166
star
69

magnolify

A collection of Magnolia add-on modules
Scala
163
star
70

dataenum

Algebraic data types in Java.
Java
163
star
71

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
72

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
158
star
73

gcp-audit

A tool for auditing security properties of GCP projects.
Python
157
star
74

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
155
star
75

should-up

Remove most of the "should" noise from your tests
JavaScript
153
star
76

folsom

An asynchronous memcache client for Java
Java
147
star
77

missinglink

Build time tool for detecting link problems in java projects
Java
146
star
78

flo

A lightweight workflow definition library
Java
146
star
79

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
144
star
80

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
143
star
81

proto-registry

An implementation of the Protobuf Registry API
TypeScript
141
star
82

futures-extra

Java library for working with Guava futures
Java
138
star
83

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
138
star
84

annoy-java

Approximate nearest neighbors in Java
Java
138
star
85

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
134
star
86

github-java-client

A Java client to Github API
Java
129
star
87

docker-stress

Simple docker stress test and monitoring tools
Python
125
star
88

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
124
star
89

sparkey-java

Java implementation of the Sparkey key value store
Java
118
star
90

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
118
star
91

realbook

Easier audio-based machine learning with TensorFlow.
Python
112
star
92

rspec-dns

Easily test your DNS with RSpec
Ruby
107
star
93

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
107
star
94

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
105
star
95

gimme

Creating time bound IAM Conditions with ease and flair
Python
103
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

spotify.github.io

Showcase site for hand-picked open-source projects by Spotify
HTML
96
star
98

lighthouse-audit-service

TypeScript
95
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
93
star
100

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star