Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EDC - Authentication Delegation for Management API Calls #707

Closed
1 task done
lgblaumeiser opened this issue Jun 12, 2024 · 1 comment
Closed
1 task done

EDC - Authentication Delegation for Management API Calls #707

lgblaumeiser opened this issue Jun 12, 2024 · 1 comment
Assignees
@lgblaumeiser
Labels
edc Feature/Bug for EDC component Prep-R24.12

Comments

@lgblaumeiser
Copy link
Contributor

Description

As an EDC operator,

I want to delegate the validation of the authentication information for the management api to an external identity provider

The current practice of managing an api-key within the EDC has the disadvantage, especially for a EDC aaS provider, that many different EDC services manage their own key, which makes them in principle an identity provider. This contradicts the general strategy to reduce the number of identity providers ideally to one. The reason for that is, that processes like key rotation are simplified to one service. In addition, security audits typically involve to a large degree the identity providers and check the configuration of those. With many EDC services running, this increases the efforts for such audits.

An implementation concept exists and is described in the upstream item: eclipse-edc/Connector#4261

In summary, an additional mechanism will be provided, that allows authentication by standard JWT bearer token. It is an alternative way to authenticate and does not replace the existing api-key mechanism. The token is checked using an standard identity provider like Keycloak following standard OAuth protocols.

The feature does not include any changes towards authorization, a request with a valid token is executed without further limitations.

Impact

The concept allows to run EDCs as used without any change. The authentication delegation is added as additional feature. An EDC operator has to choose whether he wants to make use of the common authentication means or make use of the new concept. This requires of course, that all calling clients of the EDC are aware of the change and use the standard REST Authorization header with the bearer token method. For compatibility reasons, the api will allow to make use of the x-api-key header instead, i.e., a client can make use of a long living token that is used like an api-key from the client, but validated from the EDC like a standard token.

Additional information

  • I'm willing to contribute to this feature
@lgblaumeiser lgblaumeiser mentioned this issue Jun 12, 2024
Closed
4 tasks
@lgblaumeiser lgblaumeiser added the edc Feature/Bug for EDC component label Jun 13, 2024
@lgblaumeiser lgblaumeiser changed the title Authentication Delegation for Management API Calls EDC - Authentication Delegation for Management API Calls Jun 13, 2024
@lgblaumeiser
Copy link
Contributor Author

Is already part of the Tractus-X Release 0.8.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lgblaumeiser lgblaumeiser

Labels
edc Feature/Bug for EDC component Prep-R24.12
Projects
Release Planning
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lgblaumeiser