package auth

Get desktop application:
View/edit binary Protocol Buffers messages

The Auth service provides tokens or host certificates to use for authentication. Tokens identify users (or agents in general) typically performing API calls or accessing web based resources. Host certificates identify machines or API endpoints in general so users/agents can be certain of the identity of the endpoint. For a token to be issued to a CLI tool: 1. Invoke the Authenticate() method. This will return an URL for the user to visit with his own browser. 2. Invoke the Token() method, repeatedly, with a pause in between attempts and a timeout. Once the user completes the browser based authentication, the Token() method will succeed and return a token. This works as visiting the URL returned by Authenticate() with a browser kicks off some sort of web based authentication (oauth, saml, or ... - the auth server gRPC endpoint is really agnostic to it), and at the end of the process, out of band, the web server responsible for the authentication will confirm the identity of the user to the auth server which will then issue a token. In the current (Jan/25) simple auth server implementation, the web server performing the authentication is in the same binary as the gRPC auth endpoint. The out of band step to confirm the identity of the user is performed by invoking the `FeedToken` method. This simple implementation also mandates that the CLI tool and web based authentication must be served by the same backend. Which means there's either a single backend, or the load balancer is capable of guaranteeing that a given IP is always sent to the same backend, or there's some other form of "session stickyness". The HostCertificate issuing mechanism implementation is currently incomplete. A certificate is always returned, with no real checking mechanism. TODO: complete the HostCertificate implementation.

• rpc Authenticate (AuthenticateRequest, AuthenticateResponse)

  auth.proto:76

  Use to retrieve the url to visit to create an authentication token.

  message AuthenticateRequest

  auth.proto:5

  • bytes key = 1

    Public key of the client, to be used to encrypt the token.

  • string user = 2

  • string domain = 3

  message AuthenticateResponse

  auth.proto:11

  • bytes key = 1

    Public key of the server, to be used to decrypt the token.

  • string url = 2

    URL for the user to visit to complete the authentication request.

• rpc HostCertificate (HostCertificateRequest, HostCertificateResponse)

  auth.proto:81

  Used to retrieve an SSH certificate for a host.

  message HostCertificateRequest

  auth.proto:29

  • bytes hostcert = 1

    The public key of the host that will be returned as signed by the CA

  • repeated string hosts = 2

    A list of DNS names you wish for the host to have.

  message HostCertificateResponse

  auth.proto:34

  • bytes capublickey = 1

    The CA public key.

  • bytes signedhostcert = 2

    The signed host certificate passed in the request.

• rpc Token (TokenRequest, TokenResponse)

  auth.proto:78

  Use to retrieve an authentication token.

  message TokenRequest

  auth.proto:16

  • string url = 1

    URL returned by server.

  • bytes publickey = 2

    Public key to be signed by the server. Optional.

  message TokenResponse

  auth.proto:21

  • bytes nonce = 1

    Nonce used for encryption.

  • bytes token = 2

    Encrypted token. Requires the private key corresponding to the public key supplied to open.

  • bytes cert = 4

    Certificate signed to be used with the Private Key, is a signed version of the public key sent in the TokenRequest.

  • bytes capublickey = 5

    CA Public Key to be added to the authenticated client.

  • repeated string cahosts = 6

    List of hosts the CA should be trusted for.