andrewhowdencom
commented
4 years ago Also, gateway might be able to do a token transformation from a user request to some internal representation of authentication (i.e. more ganular scopes).
Scopes should be a URI. For example, given a service called "foo":
auth.foo.littleman.co/foo.bar.baz
CRUD style authentication seems easiest to model after. Also solves the problem of revocation (somewhat) if the tokens are issued per ingress RPC. Can model this as the CA system si otherwise modelled;
Root CA → Identity Broker → User Session Identity → RPC Identity
Where
identity broker: Service that can verify the user somehow and create a token signed by the users identity User Session Identity: A intermediary CA that can be dropped if user drops all sessions. Can constrain permissions, limited lifetime (~24 hours) before refresh by broker. RPC Identity: A client certificate for RPCs that is issued only for the timeout of the RPC. Can constraint permissions, and should be verified against the user session identity. Can be renewed by other identity brokers, but brokers must reprove user identity somehow.
Practically this might be pretty inefficient.
Authentication should be done by mTLS (service → service) and via OpenID (per request).