WIP: Implement public key authentication #97
Conversation
|
Hi! Sorry about the delay getting back to you. This is interesting; did you have any specific questions or plans (since it's marked as a draft), or do you feel this might be ready to merge if I am happy with it? |
|
Also, can you briefly describe how this is used? Is the server keeping a collection of public keys, which the clients have the secrets for? What tools are used to generate these key pairs? |
|
It might be ready to merge if you are happy with it. I tried to achieve the goal with the minimal set of changes to the other code paths, but you might have ideas to make it less intrusive still. The idea is that the client has a private key while the server has a list of public keys and the domains they are authorized for. So the server can check if the authentication by the client is signed by a private key that fit's the public key that is authorized for that domain. Concretely I want each cloudfleet box to authenticate against all cloudfleet services with one ed25519 key to avoid having to deal with the exchange of secret keys and for easier deployment of additional services as no secrets need to be shared. |
Also create exemplary JWS auth scripts.