The purpose of this semi-technical blog post is to reiterate what Modern Authentication is about and connect it to the standard product security changes.
What is Modern Authentication?
Let's start with some definitions:
- Authentication is the act of proving an assertion, such as the identity of a computer system user – Happens outside of the CMS, the product needs no password access
- Authorization is the function of specifying access rights/privileges to resources – Happens in the CMS
Modern Authentication is about using the trusted code of your generic system browser to authenticate. The system browser is the application that opens any https:// link on your device and by nature any browser is passive, meaning that it follows the lead of the authentication server. And if that authentication server wants a second factor (your phone's Authenticator app, or YubiKey, or even select all pictures with traffic lights or whatever the future brings...), it can.
What is Non-Modern Authentication then? Actually any Web Application or Application in general that directly asks for your credentials like for example username / password. So an example Application is Publication Manager that in the past (14SP4 and earlier) asked for your username / password and even offered to safely store the password somewhere for you through a remember-me-checkbox is not modern.
- The Application is set up from the start to know what the authentication flow and in turn challenges will be. A change in the challenges, like introduction of two-factor-authentication (2FA), is not possible without code changes.
- The Application's custom/product code is aware of passed credentials, a security risk! You have to trust the application to not put the password in the log files or even worse nicely aggregate them for evil usage downstream.
To continue on the definitions part, to us Single-Sign-On (SSO) is not about reusing your credentials. So using that same username / password combination in all kind of Web Applications in essence is only reusing the Identity Provider like Active Directory or LDAP. It is about reusing your authentication, and by pushing all authentication flows to your preferred single-sourced system browser, there will be many applications that seemingly immediately log you on without challenging for credentials. That is Single-Sign-On.
Applying Modern Authentication to Tridion Docs, the text edition
Let us apply the above knowledge in product changes to 4 typical use cases of applications that need authentication (column-1). We can compare how it was in Tridion Docs 14SP4 (column-2) and what it became in Tridion Docs 15.0 (column-3).
Tridion Docs 14SP4 and earlier |
Tridion Docs 15.0 and later |
|
Server-hosted Web Applications |
Passive WS-Federation protocol complies with Modern Authentication |
Passive Authorization Code With PKCE flow of OpenIdConnect protocol is Modern Authentication |
Client-hosted tools like Publication Manager |
Active WS-Trust protocol is Non-Modern Authentication |
Passive Authorization Code With PKCE flow of OpenIdConnect protocol is Modern Authentication |
Client-hosted tools like ISHRemote or Content Importer |
Active WS-Trust protocol is Non-Modern Authentication |
Passive Authorization Code With PKCE flow of OpenIdConnect protocol is Modern Authentication for interactive users |
Active Client Credentials flow of OpenIdConnect protocol is Non-Modern Authentication for scheduled cmdline operations |
||
Server-hosted services like Translation Organizer |
Active WS-Trust protocol is Non-Modern Authentication |
Active Client Credentials flow of OpenIdConnect protocol is Non-Modern Authentication |
What you will recognize in the table is that:
- Previous product releases complied with Modern Authentication for Web Applications (e.g. Draft Space) but not for Client Tools (e.g. Publication Manager). The 'Passive' keyword highlights that the custom/product code base was not in the lead on doing the authentication; it was passive and followed the lead of the authentication server.
- Previous product releases relied on WS-Federation and WS-Trust protocol. See OASIS specifications on https://www.oasis-open.org/standard/ws-federation/ and http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html. While starting in Tridion Docs 15 we modernized there as well to OpenID Connect protocol, see https://openid.net/foundation/sponsoring-members/
- All product releases still have scenarios where there is no user interactivity possible over a system browser. In the unattended or scheduled service-to-service scenarios we rely on Client Credentials Flow which is part of the OpenID Connect protocol.
Applying Modern Authentication to Tridion Docs, the picture edition
As I personally like a high-level diagram more to understand what has changed. I'm sharing these side-by-side pictures for you to compare and find the 7 (I guess) differences.
Applying Modern Authentication to your organization
On a high-level, security is a topic which every year becomes more and more important. This is about applying the right flows throughout the system, including customizations. And it is not only about the Sign In operation, it is also about refresh, sliding sessions, up to Sign Out. It is also about writing secure code like we commit to, see https://www.veracode.com/verified/directory/rws-group. And this in the fast-changing technology world. Security does not happen as a side effect, it requires an active investment from all of us.
By now I hope it is clear that all product and custom Web Applications and Applications like Publication Manager should never ask for credentials directly. They should only work with the Access Token (and Refresh Token) which comes as a result of an authentication flow.
More Information
- In the above diagram you might spot /ISHEXT which offers a secure way to extend Organize Space with new functionality where we do the heavy lifting regarding security non-functional requirements (NFRs) like stateless and resiliency. Extending Organize Space (the successor of the Web Client /ISHCM) is nicely explained in a webinar. See 'Bootcamp video 4 of 4 – Organize space and Extensions Workshop summary' on https://community.rws.com/product-groups/tridion/tridion-docs/b/weblog/posts/bootcamp-session-for-tridion-docs-15-release
- In a next blog post we will highlight one way of implementing a custom web application, showcasing ReactJS as frontend technology over recently released NET8 as backend using OpenID Connect protocol flow. (edit: see How you could build a custom Web Application using Modern Authentication on Tridion Docs 15? )
- Even upcoming ISHRemote v8 will support OpenID Connect flow, so the Passive and Active flow as described in the above table.
- You can read the draft release notes on https://github.com/RWS/ISHRemote/blob/master/Doc/ReleaseNotes-ISHRemote-8.0.md And the release will also be announced as a blog post on this channel as well.
- ISHRemote v8.0.0 preview has been made available over public PSGallery repository. So on a machine where you had ISHRemote v7.0.0 installed it is as simple as running Update-Module -Name ISHRemote -AllowPrerelease otherwise use Install-Module -Name ISHRemote -Repository PSGallery -AllowPrerelease.