-
Notifications
You must be signed in to change notification settings - Fork 75
Jans Lock Pub Sub Client Design
OPA is a CNCF project that provides a compact Policy Decision Point ("PDP") that runs as a sidecar locally. It is very performant because all data and policies are in memory. To be useful, you have to figure out how to keep the data and policies updated in real time. Jans Lock is proposed as a new component that uses a Pub/Sub fanout topology to push updates from Auth Server to Lock clients to make real time data available for policy decisions in OPA.
It looks like we can use websockets in Auth Server Weld to handle the Pub/Sub requirement. For example:
import javax.inject.Inject;
import javax.websocket.*;
import javax.websocket.server.ServerEndpoint;
@ServerEndpoint(value = "/blabla")
public class WebsocketService {
@Inject
private DatabaseProvider dbProvider;
@OnOpen
public void onOpen(Session session) throws IOException {
//do something
}
@OnMessage
public void onMessage(Session session, String socketPacket) throws IOException {
//do something else
}
...
}
The main thing we want to make available to OPA are tokens--both access tokens and transaction tokens (when available in Jans). To minimize the load on Auth Server, we should send reference ids to the Lock clients, not the token values. Each Lock client should then retreive the token values directly from the Database or Cache Service. Lock should also download and push the latest OP signing public keys and OPA Policies (from Git).
It's important that the size of the Lock client is small--maybe Quarkus v. Weld? We need an HTTPS /health
endpoint for the Jans Lock Client, so it has to be some kind of web application.
Access and transaction tokens contain very sensitive data. Jans Lock clients should use OAuth DCR to register and obtain access tokens, which should be included in the request and validated by Auth Server. Ideally we'd specify an SSA and publish a DCR script that requires clients to register an asymetric secret to use private key authn at the token endpoint. DPoP access tokens would also be good.