(Fwd) Re: Auth Service

Domenico Rotondi

Sorry for posting again, but my previous email was rejected having used my
company address.
------- Forwarded message follows -------
From: Domenico Rotondi <domenico.rotondi@...>
To: Drasko DRASKOVIC <drasko@...>
Subject: Re: [Edgex-tsc-security] Auth Service
Cc: edgex-golang@..., edgex-devel@...,
edgex-tsc@..., edgex-tsc-security@...,
edgex-tsc-core@..., Dejan Mijic <dejan.mijic@...>,
Janko Isidorovic <janko@...>, darko@...,
manuel@..., Nikola Marcetic <nikola@...>,
Diego Pedone <diego.pedone@...>, Leonardo Straniero <leonardo.straniero@...>
Date: Wed, 17 Jan 2018 15:52:36 +0100

On 17 Jan 2018 at 6:53, Drasko DRASKOVIC wrote:
Hi all,
if of interest, in FINCONS SpA, we have developed, in the context of EU R&D
projects, a set of libraries (JavaScript and Java) and backend to manage login and
AuthZ using JWT tokens and other security features to increase the overall system
reliability. Everything is provided with the Apache V2 license.

From an architectural point of view our scenario envisages clients, an Authorization
Service and one or more "operational services" (in our case for example a document
store and a policy store).
As in token based systems, any request to any service has to include an explicit
authorization token that must be requested to the Authorization Service before
submitting the service request (this is managed internally by our libraries). Therefore,
on the service side there is no need to check user ID, access rights, etc.; the only
check is related to the correctness of the presented token.

Of course, the client needs initially to authenticate itself, but, in order to avoid having
to manage sensitive info like password on the backend, we actually use a
proof-of-ownership of the presented identity.
If the proof is successful then the client and the Authorization Service create a shared
secret which is used afterwards to manage token's requests from the client to the
Authorization Service.

If of interest we'll be happy to provide the SW. Of course no problem in providing
further details.

Hi all,
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check

Basically - whole API of the service is here:

This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.

Would something like this be of interest?

Best regards,
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

EdgeX-TSC-Security mailing list
------- End of forwarded message -------

This email has been checked for viruses by AVG.

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.