David Ferriera <david.ferriera@...>
toggle quoted messageShow quoted text
This is a great start, thanks for the effort. I will take a look at it.
There are a couple of additional items that would be required to be complete:
- Full CRUD operations on the user/identity including password change (password change by the user or admin only)
- Root/Admin identity required including secure administration of the root/admin identity - only this identity can perform C and D ops above
- Token validation endpoint for the proxy to call - this would include token expiry validation
- Code changes to the proxies to call the above endpoint with the token, handle responses and potentially translate for response to client
- Work through the preferred auth flow (redirects are not preferred for a service to service flow)
- For a complete solution, we will need some sort of ACLs/authorization rule capability - E.G., this identity can stop/start edgex services
- Security validation of the solution for example:
- Are the tokens signed and encrypted? If yes, where/how do you store the key(s), what algorithm?
- How are the passwords stored (hashed not encrypted?), what algorithm?
- Are the passwords readable (even hashed) by all other microservices?
- How is key rotation handled?
Some food for thought going forward about what we would need for something that is fully functional. There are probably a few more. It would be great if you are willing to contribute all of the above. If so, I think it would be a good choice to replace the heavier solution. Let's discuss.
On Wed, Jan 17, 2018 at 12:53 AM, Drasko DRASKOVIC <drasko@...>
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check
Basically - whole API of the service is here:
This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.
Would something like this be of interest?
Mainflux Author and Technical Advisor
www.mainflux.com | Industrial IoT Cloud
Engineering Division | Paris, France
EdgeX-TSC-Security mailing list
David Ferriera | Forgerock
Senior Director, Cloud Technology | Office of the CTO