Architecture: OAuth Scopes
TL;DR:
Authentication is how our platform verifies a user’s identity (“who you are”) for a client requesting data from an edX application and goes hand in hand with authorization (“what you can get”). We’ve been using an industry-standard framework called OAuth2.0 but in a more limited way than desired. In order to improve this platform area, Architecture team built upon some open source contributions by Microsoft. This “OAuth Scopes” project enhances our authentication implementation to allow external Open edX clients (e.g. partners) to more easily and securely request data from edX - via API calls for example.
Release date: 8/9/2018
Product owner: Greg Sham
What is it?
A simplified way of thinking about these improvements is that Authentication (“Auth”) is like a smart lock for a storage unit with all your valuables (i.e. data). Prior to enforcing Scopes, the lock would either let someone in with access to everything or deny them, resulting in a very limited number of people granted access. With Scopes support, the lock (Auth) is improved so that contents inside are compartmentalized and access to different sets of content depends on the identify of the person being granted access (this latter part also relates to Authorization, another area the team is working on).
If you’re interested in a more detailed explanation, please read on, otherwise see the Key Talking Points section further below.
The OAuth2 framework is what Open edX uses for authentication and the Scopes aspect involves the extent to which requesting clients get data from an application. Besides adding Scopes support, the platform is also in the process of shifting from using django-oauth2-provider (DOP) with OpenID Connect to using django-oauth-toolkit (DOT) with JSON web tokens (JWT). This is necessary because DOP is no longer being supported and OIDC is not compatible with DOT. JWTs are an equivalent substitute for OIDC.
By moving to a supported module and performing the Scopes work, a benefit for our external partners is that our APIs will be accessible and extendable in the future. Prior to this recent work, OAuth2 Scopes were not supported in our platform which meant that external users were not able to make API calls or otherwise retrieve data from edX. With this week’s release, Scopes are supported for certain API endpoints for certain applications, with plans for eventual support throughout the platform.
In summary, the Architecture team’s recent work covered the following major areas:
Defining and configuring Scopes for access
Adding support for JSON Web Tokens (JWTs) where needed
Setting up permissions for the new state
Improving how organizations are associated with applications requesting data from edX
While further technical details of the above work are beyond the scope of this update, see the links below for more information or reach out to the Architecture team anytime if you have questions.
Key talking points for customers:
Access to edX data is now possible to external users via certain APIs (rolling out to more APIs and applications over time)
Degree of access to edX data via APIs is more controlled but also more flexible
Additional authentication improvements are in progress to support re-platforming, with overall goal of making the edX platform more flexible and supportable in the long-term.
Results: Pending
Link(s) to additional details:
Open edX Authentication wiki page
OAuth decision making documentation (Github)
Credits:
SathishKumar Eswaran from Microsoft
Architecture team (Nimisha and Doug driving with support from Dave O., Ari, and Robert)