Create distinct roles with specific permissions to call untrusted web services.
Client services authenticate as one of these roles when calling an untrusted web service.
When using an externalized (Nginx) forwarder and gatekeeper, a webservice client can send a Conjur access token for its own identity. The client doesn't have to worry about the gatekeeper misusing the access token, because the gatekeeper is trusted code.
When calling an untrusted webservice (e.g. a custom webservice which is doing custom auth in code using Conjurauth), the service client should use a weaker token for authorization. This token should have the minimum necessary privileges; essentially, no privileges beyond the right to call the untrusted service.
Conjur's authn-tv service provides a way to obtain "scoped" (to use the OAuth terminology) API keys. A scoped API key (aka refresh token) allows an authn-tv client role to authenticate as another role. This process is subject to a few simple rules:
- authn-tv requires that clients have
execute
privilege on the authn-tv webservice resource. - An authn-tv client can only obtain an API key for a role which the client actually has. In other words, authn-tv can only be used to narrow privileges, not to widen them.
- API keys which are issued by authn-tv must be submitted back to the authn-tv service to obtain an access token. The standard Conjur authn service will not recognize API keys which are issued by authn-tv.
- authn-tv clients can, and should, revoke the API keys which were issued by authn-tv once they are no longer needed.
The procedure for calling an untrusted web service looks like this:
- At startup time, the client uses
authn-tv
to obtain API keys for a scoped set of roles. Each "scoped" role is a role which has the privileges necessary to call a specific untrusted webservice. - When the client wants to call an untrusted webservice, it submits the scoped API key to authn-tv to obtain an access token.
- This access token is sent to the untrusted webservice as proof of authentication and authorization.
- When the client program shuts down, it instructs authn-tv to revoke the scoped API keys.