You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current authentication method is limited, unsuitable for purpose and requires sending passwords to the vault for registration.
No built in revocation
Can't control how many times a JWT can be used
Renewal is not possible
Proposal: Move over to Opaque tokens which would just be random cryptographically generated strings that don't contain any information. These should be hashed and stored in the database as keys with the values of that token being attributes that configure the token's access and authorisation granularly.
For example a principal should be able to:
Generate a single use token
Generate a token with a subset of their policies
Generate a token that is valid from t1 and expires at t2
Standalone example:
package main
import (
"crypto/sha256""encoding/hex""fmt""math/rand""time"
)
typeTokenstruct {
PrincipalIdstring// ID of the principal associated with the tokenCreatedAt time.Time// Creation time of the tokenNamestring// Human-readable name for the tokenPolicies []string// Policies associated with the token
}
typeTokenStorestruct {
storemap[string]*Token
}
funcNewTokenStore() *TokenStore {
return&TokenStore{
store: make(map[string]*Token),
}
}
func (ts*TokenStore) CreateToken(principalIdstring, namestring, policies []string) string {
token:=generateToken()
hashedToken:=hashToken(token)
ts.store[hashedToken] =&Token{PrincipalId: principalId, CreatedAt: time.Now(), Name: name, Policies: policies}
returntoken
}
func (ts*TokenStore) VerifyToken(tokenstring) bool {
_, ok:=ts.store[hashToken(token)]
returnok
}
funcgenerateToken() string {
rand.Seed(time.Now().UnixNano())
token:=fmt.Sprintf("%d", rand.Int63())
returntoken
}
funchashToken(tokenstring) string {
hash:=sha256.Sum256([]byte(token))
returnhex.EncodeToString(hash[:])
}
funcmain() {
ts:=NewTokenStore()
// 1) On successful login, generate a token:principalId:="user1"policies:= []string{"read", "write"}
token:=ts.CreateToken(principalId, "Token for user1", policies)
fmt.Printf("Generated Token: %s\n", token)
// 2) On requests to the vault, verify and look up the tokenfmt.Println("Verify Token:", ts.VerifyToken(token))
tokenInfo:=ts.store[hashToken(token)]
fmt.Printf("Token Name: %s\n", tokenInfo.Name)
fmt.Printf("PrincipalId: %s\n", tokenInfo.PrincipalId)
fmt.Printf("Policies: %v\n", tokenInfo.Policies)
// 3) Proceed to policy enforcement
}
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The current authentication method is limited, unsuitable for purpose and requires sending passwords to the vault for registration.
Proposal: Move over to Opaque tokens which would just be random cryptographically generated strings that don't contain any information. These should be hashed and stored in the database as keys with the values of that token being attributes that configure the token's access and authorisation granularly.
For example a principal should be able to:
Standalone example:
Beta Was this translation helpful? Give feedback.
All reactions