This is an RFC for authenticated JSON rpc API
Authentication
The engine
JSON-RPC interface, exposed by EL and consumed by CL, needs to be authenticated. The authentication scheme chosen for thus purpose is JWT.
The type of attacks that this authentication scheme attempts to protect against are the following:
- RPC port exposed towards the internet, allowing attackers to exchange messages with EL engine api.
- RPC port exposed towards the browser, allowing malicious webpages to submit messages to the EL engine api.
The authentication scheme is not designed to
- Prevent attackers with capability to read ('sniff') network traffic from reading the traffic,
- Prevent attackers with capability to read ('sniff') network traffic from performing replay-attacks of earlier messages.
Authentication is performed as follows:
- For
HTTP
dialogue, each jsonrpc
request is individually authenticated by supplying JWT
token in the HTTP header.
- For a WebSocket dialogue, only the initial handshake is authenticated, after which the message dialogue proceeds without further use of JWT.
- For
inproc
, a.k.a raw ipc communication, no authentication is required, under the assumption that a process able to access ipc
channels for the process, which usually means local file access, is already sufficiently permissioned that further authentication requirements do not add security.
JWT specifications
- The EL MUST support the at least the following
alg
HMAC + SHA256
(HS256
)
- The EL MUST reject the
alg
none
.
The HMAC algorithm means that symmetric encryption is used, thus several CL's will be able to use the same key, and, from an authentication perspective be able to impersonate each other. From a deployment perspective, it means that an EL does not need to be provisioned with individual keys for each caller.
Key distribution
The EL
and CL
clients MUST accept a cli/config parameter: jwt-secret
, a 256
bit key, to be used for verifying/generating jwt tokens.
If such a parameter is not given, the client SHOULD generate such a token, valid for the duration of the execution, and show the token in the output, which the user can then use to provision the counterpart client with.