Closed ghost closed 5 years ago
I don't know what Vault and Oct is, but I do know the security in the protocol :)
First some general info on security:
{"userId":42,"roles":["dev","admin"]}
As described in the Gateway Flow document, resgate will always make sure an access request is made before letting a client subscribe, or before making a call request on behalf of the client.
If a new token is issued, resgate will call "access" on any resource currently subscribed by that connect, to verify it still has access with the new token. If not, resgate will unsubscribe the resources.
I will gather a few links to the source code to show these concepts. Soon. ;)
I read what you said above. From what i can see all the things you referred to are about the token security in terms of the request / response model and it looks nice.
But what Vault gives is the issuance of user tokens for authentication AND for authorisation against roles. Roles maps to resources.
SO without digging deep into the ResGate architecture is might be worth looking at Vault.
I have only used Vault a bit and it is designed for proper security. Getting security right is hard. So anyway, maybe worth considering.
Link to vault and nomad integration.
Nomad is a golbal process runner. Vault is a global PKI issuer. Consul is the glue
https://www.nomadproject.io/docs/vault-integration/index.html
how about implement jwt, at least only auth user can connect to websocket
@goldalworming Thanks for the feedback!
JWT tokens are already supported (indirectly), both when using WebSocket and legacy HTTP (REST) requests.
There is currently no support to prevent clients to connect to Resgate without a token. But you can prevent access to all the resources for a client that don't have a jwt token - which is close to the same thing.
I created a jwt-authentication example, which I anyway planned on doing eventually. Your post just made me do it right away :) . It is in the develop branch:
Don't hesitate to post if you have more questions/suggestions/feedback. Much appreciated!
Closing topic
Could you point me to a few links in resgate, client and server JS code to show me the security architecture.
I want to try to I integrate Vault (https://www.vaultproject.io/) to make it really enterprise extensible. At least to see what sensible opportunity there is to make it easy and powerful.
Vault has a Web GUI too written in golang which makes it easy to get the hang of: https://github.com/Caiyeon/goldfish I think that there is also a Web GUI built into Vault too, but i have not tried it.