Skip to content

Jans PDP Mesh

Jump to bottom
Michael Schwartz edited this page May 31, 2024 · 72 revisions

lock-topology

Cedarling Requirements

  1. Embed PDP Rust Cedar PDP
  2. HTTPS SSE: Process notifications of updated Token Status List JWT; validate with Auth Server Public Key
  3. Lock Master POST /audit Send telemetry, health and logs to OAuth protected Lock Master endpoint
  4. Auth Server POST /register If no client creds are present, generate keys and perform OpenID Dynamic Client Registration (upload JWKS); present SSA JWT if available. Request 24 hour client expiration.
  5. Auth Server POST /token Use Client Credential Grant to obtain a JWT access token from Auth Server, needed to call the audit endpoint.
  6. GET GIT: On startup and periodically retreive policy updates from Git
  7. GET /jwks: On startup and periodically retreive latest Auth Server JWKS keys (to validate any JWTs)
  8. Future: OpenID AuthZEN API REST interface (alteranative Cedar SDK)

Lock Master Requirements

  1. /publish endpoint protected by scope https://jans.io/scopes/lock/publish which queues data for from very trusted sources for eventual response by Lock Master via SSE to all subscribed browsers
  2. /audit endpoint protected by scope https://jans.io/scopes/lock/audit used by Cedarlings to send telemetry and logs.
  3. /lock_sse endpoint protected by scope https://jans.io/scopes/lock/lock_sse used by Cederalings to subscribe for updates.
  4. Timer job to GET /token_status_list_jwt from Auth Server, which is published

Auth Server Requirements

  1. Add status index value to JWT
  2. Create Auth Server config property to force JWTs for all tokens to have a jti value
  3. GET /token_status_list_jwt endpoint returns current token status list JWT Content-Type: application/jwt
  4. Interception script for token_status_list response

Sequence Diagrams

Clone this wiki locally