You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTTP or GRPC or take your pick of any networked protocol
This interfacing method makes Polykey equivalent to any other password/secret service like Vault or AWS Secret manager.
Basically this requires a third party networked client to send a request message with an authentation token that PK checks, and then returns a response with the relevant secret.
This has a little of complication here, because now you have these authentication tokens that PK needs to keep track of. It can do this statelessly with HMAC tokens, or it can do it statefully. But essentially this makes PK a "web service" like any other secret management system.
So if somebody wanted to use polykey, but wanted to use it IN THE EXACT SAME WAY they already use AWS Secret Manager or Vault. Then they could. But it does add some extra work necessary to provide the token generation/distribution ability.
To see how to do this, just look at Vault. They have an existing token system for this particular usecase.
HTTP or GRPC or take your pick of any networked protocol
This interfacing method makes Polykey equivalent to any other password/secret service like Vault or AWS Secret manager.
Basically this requires a third party networked client to send a request message with an authentation token that PK checks, and then returns a response with the relevant secret.
This has a little of complication here, because now you have these authentication tokens that PK needs to keep track of. It can do this statelessly with HMAC tokens, or it can do it statefully. But essentially this makes PK a "web service" like any other secret management system.
So if somebody wanted to use polykey, but wanted to use it IN THE EXACT SAME WAY they already use AWS Secret Manager or Vault. Then they could. But it does add some extra work necessary to provide the token generation/distribution ability.
To see how to do this, just look at Vault. They have an existing token system for this particular usecase.
And also OAuth2 is basically this. @DrFacepalm
To simplify this implementation, you could just take an OAuth2 server javascript impl and use that as the token system.
It seems like we can just use this: https://github.com/oauthjs/node-oauth2-server
Once you do this you have these concepts to model:
So basically 1 user, may be given N tokens, and each token has the "authority" a.k.a. "scope" to access a subset of all vaults.
See the OAuth2 spec here: https://tools.ietf.org/html/rfc6749#section-1.2
And talk to @DrFacepalm since he's already gone through it.
This thing should be left as low priority for now.
The text was updated successfully, but these errors were encountered: