Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable interop HTTP based authentication and resolve technical debt #4677

Closed
johanstokking opened this issue Sep 29, 2021 · 1 comment · Fixed by #4723
Closed

Enable interop HTTP based authentication and resolve technical debt #4677

johanstokking opened this issue Sep 29, 2021 · 1 comment · Fixed by #4723
Assignees
@johanstokking
Labels
blocking Another issue or pull request is waiting for this c/join server This is related to the Join Server c/shared This is shared between components in progress We're working on it technical debt Not necessarily broken, but could be done better/cleaner
Milestone
v3.15.2

Comments

@johanstokking
Copy link
Member

Summary

Enable HTTP-based authentication for interop. Whenever we touch this, we should also resolve technical debt.

References #717
References #2627

Why do we need this?

To support Backend Interfaces clients that do not use TLS client authentication, but that we allow authenticators that use an API key or token.

What is already there? What do you see now?

Currently, pkg/interop's server only supports TLS client authentication.

The aforementioned package is also built around Echo.

What is missing? What do you want to see?

TLS client authentication should become optional and we should support dynamic authentication mechanisms. One authentication mechanism could be checking an API key against a configured value or validating a token.

Use the more generic HTTP middleware instead of Echo.

How do you propose to implement this?

  1. Add non-TLS endpoint for interop
  2. On the TLS endpoint, do not require a TLS client certificate
  3. Replace Echo middleware by generic HTTP middleware
  4. Add a dynamic authenticator mechanism that sets pkg/auth info on the request context
  5. Turn Join Server's authorizer based on X.509 Distinguished Name in an authenticator that checks the authenticated name in a more generic way, as it may also come from a token or API key

How do you propose to test this?

CI

Can you do this yourself and submit a Pull Request?

Yes
@johanstokking johanstokking added c/join server This is related to the Join Server c/shared This is shared between components technical debt Not necessarily broken, but could be done better/cleaner labels Sep 29, 2021
@johanstokking johanstokking added this to the v3.15.2 milestone Sep 29, 2021
@johanstokking johanstokking self-assigned this Sep 29, 2021
@github-actions github-actions bot added the needs/triage We still need to triage this label Sep 29, 2021
@johanstokking johanstokking removed the needs/triage We still need to triage this label Sep 29, 2021
@johanstokking johanstokking mentioned this issue Sep 29, 2021
Closed
@johanstokking johanstokking added the blocking Another issue or pull request is waiting for this label Sep 29, 2021
@johanstokking
Copy link
Member Author

Blocking #4678

@johanstokking johanstokking added the in progress We're working on it label Sep 30, 2021
This was referenced Oct 1, 2021
Closed
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johanstokking johanstokking

Labels
blocking Another issue or pull request is waiting for this c/join server This is related to the Join Server c/shared This is shared between components in progress We're working on it technical debt Not necessarily broken, but could be done better/cleaner
Projects
None yet
Milestone
v3.15.2
Development

Successfully merging a pull request may close this issue.

Support Packet Broker authentication through Backend Interfaces TheThingsNetwork/lorawan-stack
1 participant
@johanstokking