Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network Interface #70

Closed
robert-cronin opened this issue Aug 11, 2020 · 0 comments · Fixed by #64
Closed

Network Interface #70

robert-cronin opened this issue Aug 11, 2020 · 0 comments · Fixed by #64
Assignees
Labels
development Standard development
Milestone

Comments

@robert-cronin
Copy link
Contributor

HTTP or GRPC or take your pick of any networked protocol

This interfacing method makes Polykey equivalent to any other password/secret service like Vault or AWS Secret manager.

Basically this requires a third party networked client to send a request message with an authentation token that PK checks, and then returns a response with the relevant secret.

This has a little of complication here, because now you have these authentication tokens that PK needs to keep track of. It can do this statelessly with HMAC tokens, or it can do it statefully. But essentially this makes PK a "web service" like any other secret management system.

So if somebody wanted to use polykey, but wanted to use it IN THE EXACT SAME WAY they already use AWS Secret Manager or Vault. Then they could. But it does add some extra work necessary to provide the token generation/distribution ability.

To see how to do this, just look at Vault. They have an existing token system for this particular usecase.

And also OAuth2 is basically this. @DrFacepalm

To simplify this implementation, you could just take an OAuth2 server javascript impl and use that as the token system.

It seems like we can just use this: https://github.com/oauthjs/node-oauth2-server

Once you do this you have these concepts to model:

  • Users
  • Tokens
  • The relationship between users, tokens and vaults

So basically 1 user, may be given N tokens, and each token has the "authority" a.k.a. "scope" to access a subset of all vaults.

See the OAuth2 spec here: https://tools.ietf.org/html/rfc6749#section-1.2

And talk to @DrFacepalm since he's already gone through it.

This thing should be left as low priority for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
development Standard development
Development

Successfully merging a pull request may close this issue.

1 participant