Topics

[Edgex-tsc] Auth Service

James.White2@...
 

Drasko,
Per our meeting yesterday, I think the answer is yes this would be of interest. We wholeheartedly accept such contributions for consideration into the upcoming release cycle. If you (Mainflux) or others are willing to build these that would be great.

As a community, we need to make sure any contribution, to include this proposed one, meet the architectural guideposts we have in place (and from our conversation yesterday, I think this one does but defer to the security experts for more affirmative reaction). And we, as a community as of yesterday, haven't set this out as something we need as MVP for California release, but would love to see it if you can make it happen.

As I understand it, I think this would be a good addition to what we talked about for AAA with regard to support of the Basic Auth option. I would encourage you to continue to share through the Security WG via Doug, David and Riaz and others your thoughts, progress and any requests to deviate from our resolutions about California that we made yesterday.

Jim
________________________________________
From: edgex-tsc-bounces@... <edgex-tsc-bounces@...> on behalf of Drasko DRASKOVIC <drasko@...>
Sent: Tuesday, January 16, 2018 11:53 PM
To: edgex-golang@...; edgex-devel@...; edgex-tsc@...; edgex-tsc-security@...; edgex-tsc-core@...; Dejan Mijic; Janko Isidorovic; darko@...; manuel@...; Nikola Marcetic
Subject: [Edgex-tsc] Auth Service

Hi all,
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check

Basically - whole API of the service is here:
https://github.com/drasko/edgex-auth/blob/master/auth/server.go#L21-L27

This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.

Would something like this be of interest?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC mailing list
EdgeX-TSC@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc

Gardner, Doug <Doug.Gardner@...>
 

Drasko,
Absolutely, this is a great addition and will greatly help the developer environment. This dual approach that supports a simple username/password in addition to supporting the more secure OAuth2 will benefit our security position and allow us to better understand the tradeoffs

Thanks for your contribution!




Thanks
Doug Gardner
doug.gardner@...
Office: 813.559.6617

-------- Original message --------
From: James.White2@...
Date: 1/17/18 8:18 AM (GMT-05:00)
To: drasko@..., edgex-golang@..., edgex-devel@..., edgex-tsc@..., edgex-tsc-security@..., edgex-tsc-core@..., dejan.mijic@..., janko@..., darko@..., manuel@..., nikola@...
Subject: Re: [Edgex-tsc] Auth Service

Drasko,
Per our meeting yesterday, I think the answer is yes this would be of interest. We wholeheartedly accept such contributions for consideration into the upcoming release cycle. If you (Mainflux) or others are willing to build these that would be great.

As a community, we need to make sure any contribution, to include this proposed one, meet the architectural guideposts we have in place (and from our conversation yesterday, I think this one does but defer to the security experts for more affirmative reaction). And we, as a community as of yesterday, haven't set this out as something we need as MVP for California release, but would love to see it if you can make it happen.

As I understand it, I think this would be a good addition to what we talked about for AAA with regard to support of the Basic Auth option. I would encourage you to continue to share through the Security WG via Doug, David and Riaz and others your thoughts, progress and any requests to deviate from our resolutions about California that we made yesterday.

Jim
________________________________________
From: edgex-tsc-bounces@... <edgex-tsc-bounces@...> on behalf of Drasko DRASKOVIC <drasko@...>
Sent: Tuesday, January 16, 2018 11:53 PM
To: edgex-golang@...; edgex-devel@...; edgex-tsc@...; edgex-tsc-security@...; edgex-tsc-core@...; Dejan Mijic; Janko Isidorovic; darko@...; manuel@...; Nikola Marcetic
Subject: [Edgex-tsc] Auth Service

Hi all,
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check

Basically - whole API of the service is here:
https://github.com/drasko/edgex-auth/blob/master/auth/server.go#L21-L27

This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.

Would something like this be of interest?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com<http://www.mainflux.com> | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC mailing list
EdgeX-TSC@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc
_______________________________________________
EdgeX-TSC mailing list
EdgeX-TSC@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc

Drasko DRASKOVIC <drasko@...>
 

Hello,
great, thanks.

Idea is to provide simple and lightweight service that is between
simple NginX config file and full-blown OAuth2.0 provider. In contrast
to simple pre-configured config file it will be production-grade and
will offer dynamic operation (addition/removing of users/tokens).

Note that this microservice can be used for securing southbound also,
i.e. obtaining simple JWT tokens for devices (sensors).

Jim,
I agree that we should not necessarily put this for California MVP,
but service will be there for the people who want to experiment and do
lightweight integrations. This service will work without problems on
RPi. When we consider service tested we can promote it further.

I will prepare a few slides to explain the service, but it is very
simple and generic (actually so generic that it can be reused for any
project). So, if somebody wants to help, PRs gladly accepted here:
https://github.com/drasko/edgex-auth, I'll maintain the repo until it
is ready to be uploaded to official EdgeX GitHub.

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

On Wed, Jan 17, 2018 at 2:39 PM, Gardner, Doug <Doug.Gardner@...> wrote:
Drasko,
Absolutely, this is a great addition and will greatly help the developer environment. This dual approach that supports a simple username/password in addition to supporting the more secure OAuth2 will benefit our security position and allow us to better understand the tradeoffs

Thanks for your contribution!




Thanks
Doug Gardner
doug.gardner@...
Office: 813.559.6617





-------- Original message --------
From: James.White2@...
Date: 1/17/18 8:18 AM (GMT-05:00)
To: drasko@..., edgex-golang@..., edgex-devel@..., edgex-tsc@..., edgex-tsc-security@..., edgex-tsc-core@..., dejan.mijic@..., janko@..., darko@..., manuel@..., nikola@...
Subject: Re: [Edgex-tsc] Auth Service

Drasko,
Per our meeting yesterday, I think the answer is yes this would be of interest. We wholeheartedly accept such contributions for consideration into the upcoming release cycle. If you (Mainflux) or others are willing to build these that would be great.

As a community, we need to make sure any contribution, to include this proposed one, meet the architectural guideposts we have in place (and from our conversation yesterday, I think this one does but defer to the security experts for more affirmative reaction). And we, as a community as of yesterday, haven't set this out as something we need as MVP for California release, but would love to see it if you can make it happen.

As I understand it, I think this would be a good addition to what we talked about for AAA with regard to support of the Basic Auth option. I would encourage you to continue to share through the Security WG via Doug, David and Riaz and others your thoughts, progress and any requests to deviate from our resolutions about California that we made yesterday.

Jim
________________________________________
From: edgex-tsc-bounces@... <edgex-tsc-bounces@...> on behalf of Drasko DRASKOVIC <drasko@...>
Sent: Tuesday, January 16, 2018 11:53 PM
To: edgex-golang@...; edgex-devel@...; edgex-tsc@...; edgex-tsc-security@...; edgex-tsc-core@...; Dejan Mijic; Janko Isidorovic; darko@...; manuel@...; Nikola Marcetic
Subject: [Edgex-tsc] Auth Service

Hi all,
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check

Basically - whole API of the service is here:
https://github.com/drasko/edgex-auth/blob/master/auth/server.go#L21-L27

This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.

Would something like this be of interest?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com<http://www.mainflux.com> | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC mailing list
EdgeX-TSC@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc
_______________________________________________
EdgeX-TSC mailing list
EdgeX-TSC@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc