Merge pull request #5 from openburo/add-backend-approach-docs

Add draft backend spec

Author: jmaupetit

docs/approche-back.md

@@ -0,0 +1,43 @@
+---
+layout: default
+title: Backend approach: appendices
+nav_order: 4
+---
+
+# Backend approach: appendices
+
+
+[← Backend approach](./index.md) · [Accueil](../index.md)
+
+---
+
+## The Token Exchange Flow (RFC 8693)
+
+1. **Initial Authentication**
+   - The end-user authenticates with the **Primary IdP**, which issues an
+   initial **access token** or **ID token**.
+
+2. **Token Exchange Request**
+   - The client application sends the initial token to the **Token Exchange
+   Service**, requesting a new token for a specific **target resource** or
+   **audience**.
+   - The request includes:
+     - `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`
+     - `subject_token`: The initial token.
+     - `subject_token_type`: The type of the initial token (e.g.,
+     `urn:ietf:params:oauth:token-type:access_token`).
+     - `audience`: The target resource or service.
+     - `scope`: The requested permissions for the new token.
+
+3. **Token Transformation**
+   - The **Token Exchange Service** validates the initial token and issues a
+   new token tailored for the target resource. This new token may have:
+     - Restricted scopes.
+     - Additional claims.
+     - A different audience or issuer.
+
+4. **Access to Resource Server**
+   - The client application uses the exchanged token to access the **Resource
+   Server**, which validates the token and grants access based on its claims
+   and scopes.
+

docs/backend-approach/appendices.md

@@ -0,0 +1,32 @@
+---
+layout: default
+title: Backend approach: demo
+nav_order: 4
+---
+
+# Backend approach: demo
+
+[← Backend approach](./index.md) · [Accueil](../index.md)
+
+---
+
+## OpenBuro router
+
+We developed a POC server that can act as a proxy exposing the OpenBuro file
+picker API for services that are not natively integrated with OpenBuro.
+
+Source code of the project is available at:
+https://github.com/openburo/openburo-router
+
+You will find a back-end with different connectors to:
+
+- Twake
+- Google Drive 
+- Jamespot
+- Nextcloud
+
+And also a front-end to showcase the integration.
+
+> Note that only API server and connectors have been developed during this
+> first technical sprint. OIDC resource server and authorization server
+> implementations have been bypassed on purpose.

docs/backend-approach/demo.md

@@ -0,0 +1,100 @@
+---
+layout: default
+title: Backend approach
+nav_order: 4
+---
+
+# Backend approach
+
+[← Approche front](proposition-hackathon/) · [Accueil](index.md)
+
+---
+
+## Architecture
+
+![Minimal Viable Architecture](openburo-filepicker.drawio.svg)
+
+## Principles
+
+The consumer.com service will use server to server communication using a
+specified resource server API to pick files from the openburo-certified
+drive.com service.
+
+The Open Buro initiative provides an OpenBuro "router" that acts as a proxy to
+drive services that do not implement the resource server API specification.
+
+> The target architecture depicted in the schema illustrates a **federated
+> identity and access management system** leveraging **OpenID Connect (OIDC)**
+> and the **OAuth 2.0 Token Exchange (RFC 8693)**. This architecture enables
+> secure delegation of authentication and authorization across multiple trust
+> domains, allowing services to exchange tokens while maintaining strict
+> control over access rights and security policies.
+
+---
+
+### Key Components
+
+1. **OpenBuro-specified resource server API** (drive.com or openburo router)
+   - Services or APIs that require tokens for access. They validate tokens
+   issued by the Token Exchange Service or directly by the IdPs, ensuring that
+   only authorized requests are processed.
+   - The openburo router acts as a proxy with services that does implement
+   expected resources server API endpoints
+   - Servers are expected to implement the specified file-picking capability
+   (see next section).
+
+2. **Identity Providers (IdPs)**
+   - **Primary IdP**: The central identity provider responsible for
+   authenticating end-users and issuing initial tokens (e.g., ID tokens, access
+   tokens).
+   - **Secondary IdPs**: Additional identity providers that may issue tokens
+   for specific domains or services, enabling cross-domain authentication and
+   authorization.
+
+3. **Token Exchange Service**
+   - A dedicated service implementing **RFC 8693 (Token Exchange)**. It acts as
+   an intermediary to exchange tokens between different trust domains, ensuring
+   that tokens are transformed, restricted, or enriched according to the target
+   service’s requirements.
+
+4. **Client Applications (consumer.com)**
+   - Applications or services that consume tokens to access resources on behalf
+   of users. They interact with the Token Exchange Service to obtain tokens
+   with the appropriate scopes and claims for the target resource.
+
+---
+
+### Security Considerations
+
+- **Token Validation**: All tokens must be validated for integrity, issuer,
+audience, and expiration.
+- **Scope Restriction**: The Token Exchange Service ensures that exchanged
+tokens do not grant more privileges than the original token.
+- **Audit and Traceability**: All token exchanges are logged for security
+auditing and compliance.
+- **Consent Management**: User consent is managed transparently, especially
+when tokens are exchanged across trust domains.
+
+## Motivations
+
+### Pros 
+
+- This architecture provides a **scalable, secure, and interoperable**
+framework for federated identity and access management, leveraging **OIDC** and
+**Token Exchange (RFC 8693)**.
+- Each service consuming a resource is free to implement it's own UI/UX to
+access the resource.
+
+### Cons 
+
+- Proposed architecture relies on a circle of trust: if you share a token with
+a third party application, it implies that the later is trustworthy as it will
+have access to a user token to perform actions on behalf of users. The token
+exchange specification mitigate the scope of possible actions in a limited
+time, but does not solve the OIDC resource server trust issue.
+
+## Technical specifications
+
+- [Resource server API](./specification.md)
+- [Demo](./demo.md)
+- [Appendices](./appendices.md)

docs/backend-approach/index.md

@@ -0,0 +1,78 @@
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0">
+  <diagram name="Page-1" id="Miq5_UqQhUQHEElPLVpS">
+    <mxGraphModel dx="2601" dy="1224" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-11" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" target="0_j7Obm5OifOXc6rpGYc-4">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-1" parent="1" style="swimlane;startSize=0;" value="" vertex="1">
+          <mxGeometry height="80" width="160" x="530" y="40" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-3" parent="0_j7Obm5OifOXc6rpGYc-1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;rounded=0;" value="&lt;div&gt;&lt;font style=&quot;font-size: 18px;&quot;&gt;consumer.com&lt;/font&gt;&lt;/div&gt;&lt;div&gt;frontend&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="50" y="25" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-14" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-4" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;startArrow=classic;startFill=1;" target="0_j7Obm5OifOXc6rpGYc-12">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-18" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-4" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" target="0_j7Obm5OifOXc6rpGYc-7">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-23" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-4" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" target="0_j7Obm5OifOXc6rpGYc-6">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-4" parent="1" style="swimlane;startSize=0;" value="" vertex="1">
+          <mxGeometry height="80" width="160" x="530" y="150" as="geometry">
+            <mxRectangle height="40" width="50" x="180" y="190" as="alternateBounds" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-5" parent="0_j7Obm5OifOXc6rpGYc-4" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;rounded=0;" value="&lt;div&gt;&lt;font style=&quot;font-size: 18px;&quot;&gt;consumer.com&lt;/font&gt;&lt;/div&gt;&lt;div&gt;backend&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="50" y="25" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-27" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;startArrow=classic;startFill=1;" target="0_j7Obm5OifOXc6rpGYc-9">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-6" parent="1" style="whiteSpace=wrap;html=1;aspect=fixed;" value="&lt;div&gt;&lt;font style=&quot;font-size: 18px;&quot;&gt;OpenBuro&lt;/font&gt;&lt;/div&gt;&lt;div&gt;&lt;font size=&quot;3&quot;&gt;router&lt;/font&gt;&lt;/div&gt;" vertex="1">
+          <mxGeometry height="120" width="120" x="420" y="380" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-7" parent="1" style="whiteSpace=wrap;html=1;aspect=fixed;" value="&lt;font style=&quot;font-size: 18px;&quot;&gt;drive.com&lt;/font&gt;" vertex="1">
+          <mxGeometry height="120" width="120" x="680" y="380" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-9" parent="1" style="whiteSpace=wrap;html=1;aspect=fixed;" value="&lt;font style=&quot;font-size: 18px;&quot;&gt;nextcloud&lt;/font&gt;" vertex="1">
+          <mxGeometry height="120" width="120" x="240" y="380" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-10" parent="1" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#d5e8d4;strokeColor=#82b366;" value="" vertex="1">
+          <mxGeometry height="50" width="50" x="770" y="360" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-22" edge="1" parent="1" source="0_j7Obm5OifOXc6rpGYc-12" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;startArrow=classic;startFill=1;" target="0_j7Obm5OifOXc6rpGYc-7">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-12" parent="1" style="rounded=0;whiteSpace=wrap;html=1;" value="&lt;div&gt;&lt;font style=&quot;font-size: 18px;&quot;&gt;Identity&lt;/font&gt;&lt;/div&gt;&lt;div&gt;&lt;font size=&quot;3&quot;&gt;Provider&lt;/font&gt;&lt;/div&gt;" vertex="1">
+          <mxGeometry height="120" width="160" x="770" y="130" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-15" parent="1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;rounded=0;" value="&lt;div&gt;access&lt;/div&gt;&lt;div&gt;token&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="700" y="150" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-17" parent="1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;rounded=0;" value="&lt;div&gt;exchanged&lt;/div&gt;&lt;div&gt;token&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="700" y="204" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-19" parent="1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;rounded=0;" value="&lt;div&gt;exchanged&lt;/div&gt;&lt;div&gt;token&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="580" y="320" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-24" parent="1" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#d5e8d4;strokeColor=#82b366;" value="" vertex="1">
+          <mxGeometry height="50" width="50" x="240" y="40" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-25" parent="1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;rounded=0;" value="&lt;div align=&quot;left&quot;&gt;&lt;b&gt;&lt;font style=&quot;font-size: 14px;&quot;&gt;OpenBuro&lt;/font&gt;&lt;/b&gt;&lt;/div&gt;&lt;div align=&quot;left&quot;&gt;&lt;b&gt;&lt;font size=&quot;3&quot;&gt;certified&lt;/font&gt;&lt;/b&gt;&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="300" y="50" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-28" parent="1" style="text;html=1;whiteSpace=wrap;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;rounded=0;" value="&lt;div align=&quot;left&quot;&gt;token&lt;/div&gt;&lt;div align=&quot;left&quot;&gt;introspection&lt;/div&gt;" vertex="1">
+          <mxGeometry height="30" width="60" x="860" y="320" as="geometry" />
+        </mxCell>
+        <mxCell id="0_j7Obm5OifOXc6rpGYc-32" parent="1" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#d5e8d4;strokeColor=#82b366;" value="" vertex="1">
+          <mxGeometry height="50" width="50" x="510" y="360" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>