I currently use Vault from hashicorp and it's pretty good. It seems

Feature request: vault authenticator about oathkeeper HOT 8 CLOSED

ory commented on May 18, 2024

Feature request: vault authenticator

from oathkeeper.

Comments (8)

aeneasr commented on May 18, 2024

Interesting idea, could you walk me through how vault works and how tokens/keys are validated at vault?

from oathkeeper.

commented on May 18, 2024

thats a huge area. Vault does alot... If you run this you can to use it with a GUI: https://github.com/Caiyeon/goldfish Also the site has lots of info.

…

-- then there is the Vault main docs. https://github.com/hashicorp/vault https://www.vaultproject.io/ - has interactive tutorial.

On Sat, 14 Jul 2018 at 12:44 Aeneas ***@***.***> wrote: Interesting idea, could you walk me through how vault works and how tokens/keys are validated at vault? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#88 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATuCwvQH7C6iTnltA2uu3MZR1P1Rktlgks5uGctxgaJpZM4VP0Bt> .

from oathkeeper.

aeneasr commented on May 18, 2024

Yes, but it seems to me like it's storing access credentials and gives them out based on other credentials issued by vault, I'm not sure if it also allows verification of the stored access credentials as it is agnostic to them. It would be great if you could go into some detail (maybe particular flows or APIs), this would help a lot in understanding why vault would make sense as an authorization server coupled to oathkeeper.

from oathkeeper.

commented on May 18, 2024

Yes I think you have a decent idea of what if offers. Here is why I suggested it: Oxy provides a gateway but you must have a place to store the enterprise multi tenant ( iaas level and pass etc) secrets and check them, roll them and revoke them. I can not go into all the flows though here. If you want to integrate it your going to have to do the analysis on the hooks that make sense for oxy. your are going to have contradictions on the overlap of what each provides. The other reason I suggested it is because it's very hard to do what vault does without making a slip up. Many companies use vault. It's well regarded.

…

On Sat, 14 Jul 2018, 14:03 Aeneas, ***@***.***> wrote: Yes, but it seems to me like it's storing access credentials and gives them out based on other credentials issued by vault, I'm not sure if it also allows verification of the stored access credentials as it is agnostic to them. It would be great if you could go into some detail (maybe particular flows or APIs), this would help a lot in understanding why vault would make sense as an authorization server coupled to oathkeeper. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#88 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATuCwqJLzzaf6hTfgY6effY2GjeVvXo2ks5uGd4FgaJpZM4VP0Bt> .

from oathkeeper.

commented on May 18, 2024

https://news.ycombinator.com/item?id=15284976 Pretty much expresses what I was getting at ..

…

On Sat, 14 Jul 2018, 17:15 Ged Wed, ***@***.***> wrote: Yes I think you have a decent idea of what if offers. Here is why I suggested it: Oxy provides a gateway but you must have a place to store the enterprise multi tenant ( iaas level and pass etc) secrets and check them, roll them and revoke them. I can not go into all the flows though here. If you want to integrate it your going to have to do the analysis on the hooks that make sense for oxy. your are going to have contradictions on the overlap of what each provides. The other reason I suggested it is because it's very hard to do what vault does without making a slip up. Many companies use vault. It's well regarded. On Sat, 14 Jul 2018, 14:03 Aeneas, ***@***.***> wrote: > Yes, but it seems to me like it's storing access credentials and gives > them out based on other credentials issued by vault, I'm not sure if it > also allows verification of the stored access credentials as it is agnostic > to them. It would be great if you could go into some detail (maybe > particular flows or APIs), this would help a lot in understanding why vault > would make sense as an authorization server coupled to oathkeeper. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#88 (comment)>, or mute > the thread > <https://github.com/notifications/unsubscribe-auth/ATuCwqJLzzaf6hTfgY6effY2GjeVvXo2ks5uGd4FgaJpZM4VP0Bt> > . >

from oathkeeper.

aeneasr commented on May 18, 2024

Oxy provides a gateway but you must have a place to store the enterprise multi tenant ( iaas level and pass etc) secrets and check them, roll them and revoke them.

I do understand that you can fetch credentials from vault, but those credentials are to be validated at a different endpoint. Typically you would, for example, store an API key in vault, fetch the API key from vault using some credentials, then use that API key at another endpoint. That endpoint validates the API key.

This proxy takes, for example, an API key and asks some endpoint if the API key is valid. In this regard, vault does (to my understanding) not play a role. It might be possible to first fetch the key from vault, then use it at Oathkeeper, and Oathkeeper validates it at another endpoint. To Oathkeeper itself however, it doesn't matter at all how the credentials were obtained and thus an integration with vault does not make sense.

Let me know if I blatantly misunderstood something, but I don't see how the integration would look like. That is why I asked for specifics on this matter.

from oathkeeper.

commented on May 18, 2024

I will be frank - I don't really know. I use vault and it took about 30 minutes to integrate it once in a Microservice system with consul. It was easy and worked really well. I really do wish I knew more but I don't want to lead you astray with intuitive half truths gained from my 30 minutes. I will say that what you described sounds about right from when I used it though.

…

On Sat, 14 Jul 2018, 18:33 Aeneas, ***@***.***> wrote: Oxy provides a gateway but you must have a place to store the enterprise multi tenant ( iaas level and pass etc) secrets and check them, roll them and revoke them. I do understand that you can fetch credentials from vault, but those credentials are to be validated at a different endpoint. Typically you would, for example, store an API key in vault, fetch the API key from vault using some credentials, then use that API key at another endpoint. That endpoint validates the API key. This proxy takes, for example, an API key and asks some endpoint if the API key is valid. In this regard, vault does (to my understanding) not play a role. It might be possible to first fetch the key from vault, then use it at Oathkeeper, and Oathkeeper validates it at another endpoint. To Oathkeeper itself however, it doesn't matter at all how the credentials were obtained. Let me know if I blatantly misunderstood something, but I don't see how the integration makes sense. That is why I asked for specifics on this matter. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#88 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATuCwgA0UPXhKXn7jbJ0Po_kivIUefSQks5uGh1JgaJpZM4VP0Bt> .

from oathkeeper.

aeneasr commented on May 18, 2024

I took some time yesterday to look through the docs and wasn't able to figure out a way to make a useful integration. I'm thus closing this issue. Regardless, thank you for your ideas & time. If I missed something please let me know and I'll immediately reopen the issue, I think integration with vault would be amazing.

from oathkeeper.

Feature request: vault authenticator about oathkeeper HOT 8 CLOSED

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent