From 3c8b71812cecb84b586481df3253500d323b0ed4 Mon Sep 17 00:00:00 2001
From: Greg Steuck <gnezdo@google.com>
Date: Tue, 15 Jun 2021 16:57:10 -0700
Subject: dashboard/app: dump notes into the comment

---
 dashboard/app/auth.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/dashboard/app/auth.go b/dashboard/app/auth.go
index ac9b2454a..a8a4c7d42 100644
--- a/dashboard/app/auth.go
+++ b/dashboard/app/auth.go
@@ -1,6 +1,29 @@
 // Copyright 2017 syzkaller project authors. All rights reserved.
 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
 
+// Relies on tokeninfo because it is properly documented:
+// https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+
+// The client
+// The VM that wants to invoke the API:
+// 1) Gets a token from the metainfo server with this http request:
+//      curl -sH 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://syzkaller.appspot.com/api'
+// 2) Invokes /api with header 'Authorization: Bearer <token>'
+
+// Maybe we can use
+// https://pkg.go.dev/golang.org/x/oauth2/google
+
+// The AppEngine api server:
+// 1) Receive the token, invokes this http request:
+//      curl -s "https://oauth2.googleapis.com/tokeninfo?id_token=<token>"
+// 2) Checks the resulting JSON having the expected audience and expiration.
+// 3) Looks up the permissions in the config using the value of sub.
+//
+// https://cloud.google.com/iap/docs/signed-headers-howto#retrieving_the_user_identity from the IAP docs agrees to trust sub.
+
+// TODO: private key caching and local verification?
+//
+
 package main
 
 import (
-- 
cgit mrf-deployment