enpaul
/
keyosk
mirror of https://github.com/enpaul/keyosk.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
79 Commits 4 Branches 0 Tags 240 KiB
Python 51.7%
Makefile 48.3%
Go to file
Ethan Paul eb113d8d0b Merge static and static-tests tox envs 2020-03-14 12:22:09 -04:00
.github Upate CI to split out different python versions by container 2020-03-09 00:36:08 -04:00
docs Update about file with less sketchy loading system 2020-02-24 20:33:44 -05:00
keyosk Add tests for account serializer 2020-03-12 22:58:33 -04:00
tests Add tests for account serializer 2020-03-12 22:58:33 -04:00
.coveragerc Fix typo in coveragerc 2020-02-24 20:33:44 -05:00
.gitignore Add mypy cache to gitignore 2020-02-18 23:02:24 -05:00
.pre-commit-config.yaml Update repo meta files 2020-02-18 22:37:39 -05:00
.pylintrc Update repo meta files 2020-02-18 22:37:39 -05:00
LICENSE.md Update repo meta files 2020-02-18 22:37:39 -05:00
Makefile !fixup makefile 2020-03-09 00:42:07 -04:00
README.md Update development documentation 2020-02-18 23:07:48 -05:00
poetry.lock Update dependencies 2020-03-14 12:15:41 -04:00
pyproject.toml Update dependencies 2020-03-14 12:15:41 -04:00
tox.ini Merge static and static-tests tox envs 2020-03-14 12:22:09 -04:00

README.md

keyosk

jwt compatible Code style: black

Keyosk is a RESTful web service that can be used to issue application-agnostic JSON Web Tokens (JWTs).

In a microservice based architecture, each service only communicates with the other services using the publicly exposed API. This promotes more consistent and stable APIs as well as more intentionally specialized services. However, when it comes to authentication this can present a problem: to ensure secure authentication for a microservice-based application there are only two real options:

  • Each service must re-implement an authentication system, leading to duplicated code, nonstandard interfaces, and the potential for synchronization problems
  • The services must have access to a shared resource outside of their publicly defined APIs, which is kind of against the whole idea of microservice architectures

Keyosk provides a third option:

Users can authenticate against Keyosk and be issued a JSON Web Token, which can then be used to authenticate against other microservices in the application. When a microservice receives a user-submitted JWT it can verify with the Keyosk server that the token a) is valid and b) hasn't been tampered with.

The workflow looks something like this:

  1. User wants to submit a request to the ToDo Service
  2. User submits username and password/API key using HTTP basic auth to Keyosk
  3. Keyosk validates the user's credentials and issues a JWT that encodes the users permissions, then signs the JWT using its private-key.
  4. The user takes the JWT issued by Keyosk and submits their request to the ToDo Service
  5. The ToDo Service queries Keyosk for its public-key and uses the public-key to verify that the JWT it just received was in fact issued by Keyosk and hasn't been tampered with.
  6. The ToDo Service decodes the JWT and is able to read the permissions information for the user's account directly out of the JWT itself.

The application's accounts are stored in one location, the authentication workflow is the same for all the application's components, and all the components communicate with each other over their public API.

To learn more, read the docs!

building

This project uses Poetry for its build and development system. Please install Poetry and run poetry install to create and populate the virtual environment.

# build python wheel and source distributions
make build

# build sphinx documentation in HTML format
make docs

# build sphinx documentation in another format
make docs SPHINX_FORMAT=<some other sphinx format>

developing

This project requires Poetry version 1.0 or newer.

# create virtual environment from lockfile
poetry install

# install pre-commit hooks
poetry run pre-commit install

# run the automated tests
poetry run tox