Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication consideration

See original GitHub issue

Hello,

I want to use JWT between microservices (so between Requester <=> Responder, and Publisher <=> Subscriber). It is possible? Or something else to authenticate call?

Awesome project by the way: easy to understand and to use 😃

Issue Analytics

State:
Created 6 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

6reactions

TotallyInformationcommented, Sep 10, 2017

In enterprise networks it is very common to have networks that are extensive with loads of different users and services attached. While good network design, network isolation architectures and intermediary firewalls can help mitigate security issues, large organisations cannot be sure that attackers haven’t managed to get a foothold onto the network.

Therefore it is imperative that any personal/sensitive data - including authentication and authorisation - is encrypted on the wire. This is good enterprise security practice and if more widespread would certainly reduce many of the data leaks we see today by helping prevent attackers from penetrating further into restricted networks.

This is not a case of “throwing concepts” at all! This is a case of security needing defence in depth. As a security expert, this is a constant battle I have with system designers and developers who’s focus may be on ease of development and deployment rather on the wider risk management. There is no single “fix” for security but using security standards throughout certainly helps.

If you are not prepared to support security within this product, it would at least be helpful to tell people so and advise them of security best practice or at least steer them to places where they can learn.

But the real point here is what you are claiming for Cote. You are claiming that this is a “batteries included” solution and currently this is a most dangerous claim since security is virtually absent. You have even set up an e-commerce “case study” that also doesn’t seem to include any real security - given the ongoing litany of security disasters we are seeing week-in and week-out from all manner of organisations, this would seem to be very much less than helpful to the community.

This is a real shame as otherwise, this seems like an excellent tool.

5reactions

dasherswcommented, Aug 22, 2017

I personally believe you can’t solve security by throwing concepts at it. It is a conscious decision where and how you want to implement it, taking into consideration a lot of variables. I would love to hear the scenario where “the use of broadcast and multicast on closed networks without TLS & co is really dangerous in production”. Specifically, what kind of production environment is that, and how would TLS prevent a leak, as cote should be used for internal communication and securing external endpoints is out of our scope.

Having said that, in fact, cote could be extended to include TLS support — if somebody would be up for the challenge, I can offer help. Additionally, cote can already be configured (although in an obscure and hacky way at the moment) to include symmetric encryption of messages.

Then there’s the issue of authentication and authorization. Both of these are out of cote’s scope, as there are literally hundreds of ways to do these things. But, obviously, in every app that I do with cote, I implement a proprietary layer on top of cote for authentication and authorization. I believe the best way to support these features is via plugins or middleware, and it’s currently in my immediate focus.