I’ve been reading blogs and watching videos in regards to service to service authorization and authentication. JWT looks like a great way to do this.
The idea is that serviceA gets a custom signed JWT from vault such that serviceA can authenticate to and be authorised to perform actions on serviceB.
The reason to use a signed JWT is so that serviceB does not have to make a call to another service to validate what the actions the credentials (permissions) are allowing to be performed on serviceB (like that of an api key) (Yes there is a downside of how to revoke the JWT before its expiration).
When scaling up infra using JWT vs API key when there are many many services that all talk to each other, signed JWT will help a lot I believe (i.e. one call per service user per ttl with JWT vs each time serviceA does a request to serviceB, serviceB needs to talk to another service to validate the api key and its permissions).
The goal is for vault to output a JWT that looks something like the below:
“serviceB” is a service (e.g. task service) in my infrastructure. The “alw” section is what serviceA would be allowed to do on serviceB.
{
“iss”: “vault”,
“aud”: “serviceB”,
“sub”: “serviceA”,
“exp”: 1596485466,
“nbf”: 1596489066,
“jti”: “2f665dad-0df6-4411-9cc7-d44dc3cde8c6”,
“alw”: [
“serviceB.upload”,
“serviceB.list”,
]
}
I understand that this will probably require a plugin for vault that can generate the JWT’s.
I was essentially wondering if anyone had done this already or any ideas how to implement this.