Topics

[Edgex-tsc-security] Auth Service

David Ferriera <david.ferriera@...>
 

Hi Drasko,

   This is a great start, thanks for the effort.  I will take a look at it.

   There are a couple of additional items that would be required to be complete:
  • Full CRUD operations on the user/identity including password change (password change by the user or admin only)
  • Root/Admin identity required including secure administration of the root/admin identity - only this identity can perform C and D ops above
  • Token validation endpoint  for the proxy to call - this would include token expiry validation
  • Code changes to the proxies to call the above endpoint with the token, handle responses and potentially translate for response to client
  • Work through the preferred auth flow (redirects are not preferred for a service to service flow)
  • For a complete solution, we will need some sort of ACLs/authorization rule capability - E.G., this identity can stop/start edgex services
  • Security validation of the solution for example:
    • Are the tokens signed and encrypted? If yes, where/how do you store the key(s), what algorithm?
    • How are the passwords stored (hashed not encrypted?), what algorithm?
    • Are the passwords readable (even hashed) by all other microservices?
    • How is key rotation handled?
   Some food for thought going forward about what we would need for something that is fully functional.  There are probably a few more. It would be great if you are willing to contribute all of the above.  If so, I think it would be a good choice to replace the heavier solution.  Let's discuss.

Thanks,
-David

On Wed, Jan 17, 2018 at 12:53 AM, Drasko DRASKOVIC <drasko@...> wrote:
Hi all,
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check

Basically - whole API of the service is here:
https://github.com/drasko/edgex-auth/blob/master/auth/server.go#L21-L27

This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.

Would something like this be of interest?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com   |  Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division |   Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@lists.edgexfoundry.org
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security



--
David Ferriera | Forgerock
Senior Director, Cloud Technology | Office of the CTO