Security

[ghost]

Could you point me to a few links in resgate, client and server JS code to show me the security architecture.

I want to try to I integrate Vault (https://www.vaultproject.io/) to make it really enterprise extensible. At least to see what sensible opportunity there is to make it easy and powerful.

Vault has a Web GUI too written in golang which makes it easy to get the hang of: https://github.com/Caiyeon/goldfish I think that there is also a Web GUI built into Vault too, but i have not tried it.

[jirenius]

I don't know what Vault and Oct is, but I do know the security in the protocol :)

First some general info on security:

• Security is handled using access tokens (or just token).
• The token is defined by the service issuing the token. Eg. {"userId":42,"roles":["dev","admin"]}
• Tokens can only be issued using a connection token event.
• Tokens are often issued as part of an auth request, but may be issued at any time, eg. a "call.adminService.kickUser" method.
• Tokens are stored in Resgate, and are never sent to the client.
• Tokens are tied to a connection. If a client reconnects, the previous token is discarded.
• Tokens never expire
• Tokens can at anytime be replaced/removed with a new connection token event
• Tokens are included in access, call and auth requests.

As described in the Gateway Flow document, resgate will always make sure an access request is made before letting a client subscribe, or before making a call request on behalf of the client.

If a new token is issued, resgate will call "access" on any resource currently subscribed by that connect, to verify it still has access with the new token. If not, resgate will unsubscribe the resources.

I will gather a few links to the source code to show these concepts. Soon. ;)

[ghost]

I read what you said above. From what i can see all the things you referred to are about the token security in terms of the request / response model and it looks nice.

But what Vault gives is the issuance of user tokens for authentication AND for authorisation against roles. Roles maps to resources.

SO without digging deep into the ResGate architecture is might be worth looking at Vault.

• You need a place to securely store the user tokens used for users that cant be tampered with.
• Users can request access to a part of the system and via vault it generates a auth request token, and notifies the Admin. The admin can then go in and see the request and then consent / deny the request. If he consents it changes the users access to the resource they requested.

I have only used Vault a bit and it is designed for proper security. Getting security right is hard. So anyway, maybe worth considering.

[ghost]

Link to vault and nomad integration.

Nomad is a golbal process runner. Vault is a global PKI issuer. Consul is the glue

https://www.nomadproject.io/docs/vault-integration/index.html

[goldalworming]

how about implement jwt, at least only auth user can connect to websocket

[jirenius]

@goldalworming Thanks for the feedback!

JWT tokens are already supported (indirectly), both when using WebSocket and legacy HTTP (REST) requests.

There is currently no support to prevent clients to connect to Resgate without a token. But you can prevent access to all the resources for a client that don't have a jwt token - which is close to the same thing.

I created a jwt-authentication example, which I anyway planned on doing eventually. Your post just made me do it right away :) . It is in the develop branch:

JWT Authentication Example

Don't hesitate to post if you have more questions/suggestions/feedback. Much appreciated!

[jirenius]

Closing topic