Skip to content

Commit

Permalink
quorum-board#197: add qlight token manager plugin (#224)
Browse files Browse the repository at this point in the history
* QLight Token Manager plugin usage

* changes

* Apply suggestions from code review

* move qlight token manager doc to the conf doc file

* TW edits

Co-authored-by: Roland Tyler <[email protected]>
  • Loading branch information
baptiste-b-pegasys and rolandtyler authored May 16, 2022
1 parent 94a42a9 commit f49d63c
Showing 1 changed file with 61 additions and 0 deletions.
61 changes: 61 additions & 0 deletions docs/configure-and-manage/configure/qlight-node.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,64 @@ Specify a refresh mechanism for the token using [`--qlight.client.token.manageme

You can add an encryption layer on the qlight client-server communication.
Configure the encryption layer using the [`qlight.tls.*`](../../reference/cli-syntax.md#qlighttls) command line options.

## Configure the `client-security-plugin` mode

In this mode, the configured Go-Quorum plugin is called when the token expiry is reached.
You can configure and even develop your own implementation of this plugin.

The plugins are in the ConsenSys repository and are downloaded automatically to the plugins directory.

You can provide your own plugin implementation. Refer to the [use of plugin with the hello world tutorial](../../tutorials/use-plugin.md) and follow the same steps with the following projects:

- [ProtoBuf model](https://github.com/ConsenSys/quorum-plugin-definitions/blob/master/qlight-token-manager.proto) - GoQuorum plugins are based on the Hashicorp plugin model, this is a gRPC model for the communication interaction.

- [QLight Token Manager Plugin SDK in Go](https://github.com/ConsenSys/quorum-qlight-token-manager-plugin-sdk-go) - The model is pre-compiled as an SDK you can refer to, so you can develop your own implementation.

- [GoQuorum Qlight Token Manager Plugin](https://github.com/ConsenSys/quorum-plugin-qlight-token-manager) - The Go-Quorum implementation using the Ory Hydra OAuth server.

You can refer to the [QLight Client with Token Manager Plugin](https://github.com/baptiste-b-pegasys/quorum-examples/pull/1/files#diff-f1ae6238d92e0b4f764eede62765302b1cfffee7e9a971a48ee97354b57b9686) Docker-compose file in the GoQuorum examples.

### Steps

1. Configure the plugins (`plugins/geth-plugin-settings.json`)

```json
{
"baseDir": "./plugins",
"providers": {
"qlighttokenmanager": {
"name":"quorum-plugin-qlight-token-manager",
"version":"1.0.0",
"config": "file://./plugins/qlight-token-manager-plugin-config.json"
},
"helloworld": {
"name":"quorum-plugin-hello-world",
"version":"1.0.0",
"config": "file://./plugins/hello-world-plugin-config.json"
}
}
}
```

2. Configure the qlight token manager (`plugins/qlight-token-manager-plugin-config.json`)

```json
{
"url":"https://multi-tenancy-oauth2-server:4444/oauth2/token",
"method":"POST",
"parameters":{
"grant_type":"client_credentials",
"client_id":"${PSI}",
"client_secret":"foofoo",
"scope":"rpc://eth_* p2p://qlight rpc://admin_* rpc://personal_* rpc://quorumExtension_* rpc://rpc_modules psi://${PSI}?self.eoa=0x0&node.eoa=0x0",
"audience":"Node1"
}
}
```

3. Enable the plugins configuration in the geth arguments

Add the flag `--plugins file://./plugins/geth-plugin-settings.json --plugins.skipverify` so GoQuorum enables them.

(`skipverify` will skip the verification of the plugins integrity)

0 comments on commit f49d63c

Please sign in to comment.