Caido

Authentication

The authentication in Caido is based on the OAuth 2.0 Authorization Framework. It replaces the need for licenses and will allow us to provide hosted and sharing services down the line. Each Instance registers itself with our cloud API using the Dynamic Client Registration Protocol and obtains a client ID and secret. Upon the first login, the user will "claim" the client ID for its Instance.

WARNING

Even if the API is authenticated, the actual proxy is currently not protected. That is why we strongly advise not to put your Caido Instances on the open internet.

Grants

We use a few OAuth2 grants depending on the API.

  • Client Credentials: We use this grant to get an access token that authenticates the Instance itself with the cloud.
  • Device Authorization: We use this grant to get an access and refresh tokens that authenticate a user. This grant is nice because it doesn't require a redirect from the browser contrary to most other grants.
  • Refresh Token: We use this grant to refresh the access token of the user without having to ask the user to re-login. At this moment, we do not make any guarantees on the lifetime of the tokens.
Authenticate user flow.

Secrets Storage

  • Client Secret: Stored encrypted in the secrets.db database on the Instance disk.
  • Instance Access Token: Stored encrypted in the secrets.db database on the Instance disk.
  • User Access & Refresh Tokens: Stored in the browser local storage of the user. Never stored on the Instance, but can be present in memory.