bakulinav
commented
6 years ago JWT reference documentations is jwt.io
Open bakulinav opened 6 years ago
bakulinav
commented
6 years ago JWT support signing and encryption. For purpose of research and reduce overhead encryption will not be use. If possible, reduce signing of messages too as soon ENG and API modules communicates in trusted environment.
No sign. No encryption.
bakulinav
commented
6 years ago JWT spec suppose recommended fields of a payload: iss (issuer), exp (expiration time), sub (subject), aud (audience) and others.
Engine enough accept iss and exp to distinguish source of JWT (API or Postman) and expiration date.
bakulinav
commented
6 years ago In Spring Boot the JWT could be implement like part of Spring Security starter (https://auth0.com/blog/securing-spring-boot-with-jwts/) but there is no build-in implementation of JWT. Instead, use community developed modules integrated with Spring Security.
bakulinav
commented
6 years ago There is no way to exclude signing process of JWT. Use HS512 algorithm for JWT sign.
Engine service (ENG) should support authorisation over JWT mechanism (RFC-7519).
A JWT token should include at least clientID to distiguish client's scope while ShoppingCart processing in rules engine processor. Also JWT token will have clientName attribute. For current state of the project clientID1 and clientID2 stubs are available.
Make API service to send JWT to ENG service. Use HS512 (HMAC using SHA-512) algorithm for JWT sign.
It should decline non-JWT requests. It should decline requests having unknown clientID.
Update ENG Postman collections to use JWT auth.