Vlado Handziski <handziski@...>
toggle quoted messageShow quoted text
I also think that this approach of using JWT as short-term, single-use authorization tokens has benefits vs. using JWT as a pseudo session mechanism. I am not a security expert, but there seems to be a lot of general debate in the community over the usability of JWT in this context, i.e.:
I definitely see value in having a lightweight AAA, as proposed by Drasko, so one option to reduce the attack / error surface would be to use something like PAST instead: https://github.com/ericchiang/go-past
On 17 Jan 2018 at 6:53, Drasko DRASKOVIC wrote:
if of interest, in FINCONS SpA, we have developed, in the context of EU R&D
AuthZ using JWT tokens and other security features to increase the overall system
reliability. Everything is provided with the Apache V2 license.
From an architectural point of view our scenario envisages clients, an Authorization
Service and one or more "operational services" (in our case for example a document
store and a policy store).
As in token based systems, any request to any service has to include an explicit
authorization token that must be requested to the Authorization Service before
submitting the service request (this is managed internally by our libraries). Therefore,
on the service side there is no need to check user ID, access rights, etc.; the only
check is related to the correctness of the presented token.
Of course, the client needs initially to authenticate itself, but, in order to avoid having
to manage sensitive info like password on the backend, we actually use a
proof-of-ownership of the presented identity.
If the proof is successful then the client and the Authorization Service create a shared
secret which is used afterwards to manage token's requests from the client to the
If of interest we'll be happy to provide the SW. Of course no problem in providing
I started writing a small Auth service that would live behind the
proxy and have 3 goals:
1) To create (register) a user (i.e. create a user account in MongoDB)
2) Login user (i.e. issue JWT token upon correct username + password)
3) Expose /auth API call so that all other API calls to other services
can be first redirected first to this service for Auth check
Basically - whole API of the service is here:
This service would solve gateway protection on production level
(encrypted user credentials are kept in MongoDB, can be also written
in Vault in later versions), and I guess that first version can be
finished in a couple of days.
Would something like this be of interest?
Mainflux Author and Technical Advisor
www.mainflux.com | Industrial IoT Cloud
Engineering Division | Paris, France
EdgeX-TSC-Security mailing list
PERSONALE E CONFIDENZIALE
Questa mail potrebbe includere materiale confidenziale, proprietario o
altrimenti privato per l'uso esclusivo del destinatario.
Se l'avete ricevuto per errore, siete pregati di contattare chi ha inviato il
messaggio e di cancellarne tutte le copie.
Ogni altro uso da parte vostra del messaggio è proibito.
Se non ti è necessario, non stampare questo documento. Grazie
PERSONAL AND CONFIDENTIAL
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in error,
please notify the sender immediately and delete all the copies.
Any other use of the email by you is prohibited.
Please consider the environment before printing this email
This email has been checked for viruses by AVG.
EdgeX-TSC mailing list