xmidt-org / scytale

Xmidt API server written in Go
Apache License 2.0
7 stars 13 forks source link

Issue with Bearer Token propogation in Scytale #391

Open chaitanyasingla-dt opened 4 months ago

chaitanyasingla-dt commented 4 months ago

When a bearer token is used to call tr1d1um APIs, the token is successfully propagated to scytale. However, scytale does not further propagate the bearer token to Talaria.

cc: @Sachin4403 @schmidtw

Sachin4403 commented 4 months ago

Scytale is using always basic auth(pre-configured in configuration) to communicate with Talaria and here is the code for the same.

https://github.com/xmidt-org/scytale/blob/c8233d4668281b9945517d6d67862d35cebf4851/primaryHandler.go#L377-L381

Since Scytale APIs are being called from Tr1d1um and Scytale can accept the Basic and Bearer auth so we Scytale must use the same authorisation type while sending request to downstream which was initially accepted by scytale.

denopink commented 4 months ago

Hello 🙂

Talaria should only be accessed by internal servers like scytale so basic auth would suffice. Also, we don't want to propagate the token to talaria from scytale because talaria would need its own set of permissions.

schmidtw commented 4 months ago

While that was the case, we would like to support JWTs going from Scytale to Talaria. That improves the security position because the JWT can be rotated more easily and has better controls than basic auth.