Open chaitanyasingla-dt opened 3 months ago
Sachin4403
commented
3 months ago Scytale is using always basic auth(pre-configured in configuration) to communicate with Talaria and here is the code for the same.
Since Scytale APIs are being called from Tr1d1um and Scytale can accept the Basic and Bearer auth so we Scytale must use the same authorisation type while sending request to downstream which was initially accepted by scytale.
denopink
commented
3 months ago Hello 🙂
Talaria should only be accessed by internal servers like scytale so basic auth would suffice. Also, we don't want to propagate the token to talaria from scytale because talaria would need its own set of permissions.
schmidtw
commented
3 months ago While that was the case, we would like to support JWTs going from Scytale to Talaria. That improves the security position because the JWT can be rotated more easily and has better controls than basic auth.
When a bearer token is used to call tr1d1um APIs, the token is successfully propagated to scytale. However, scytale does not further propagate the bearer token to Talaria.
cc: @Sachin4403 @schmidtw