API authentication keys

[oliverbarnes]

For an initial level of security on the open API. This will likely involve a developer/app/third-party registry where one needs to signup and get their key so their app can interact with the API.

Eventually this registry could evolve to a Organizations service, within which votes and proposals could be grouped and their visibility restricted.

[oliverbarnes]

• App Owner signs up

• api key generated by service on sign up

• App Owner gets api key

• App Owner app sends requests with api key

• token api validates the request based on key

  • ingress would query the api key service to validate existence before letting request go through

• liquidvoting api sends back response within scope of api key

• eventually App Owner will want to refresh the key

[oliverbarnes]

Having one resettable key per developer/consumer app sent over the header will give us measure of security, but that gets fragile when used in requests straight from javascript, bypassing the consumer app server altogether. In this case the key will be visible in the javascript source.

Supporting direct javascript requests will be more involved, so let's do it once we have basic server api keys going. One reference is Stripe publishable keys

[oliverbarnes]

We can use the nginx.ingress.kubernetes.io/auth-url annotation for this

Reference: https://medium.com/@ankit.wal/authenticate-requests-to-apps-on-kubernetes-using-nginx-ingress-and-an-authservice-37bf189670ee

[oliverbarnes]

Basic auth service is up and running on the cluster, checking against a hardcoded demo key.

Next step is building up the private keys generation and authenticating against them

[oliverbarnes]

Updated original title and comments above to refer to keys, not tokens. Initially each org will just have a unique key and use it for access. Down the line we'll use ephemeral tokens that will be associated with private keys that won't be passed around.

[oliverbarnes]

getting started on keys associated to organizations

[oliverbarnes]

Thread on api keys on elixir forum: https://elixirforum.com/t/architecture-for-client-server-authentication-api-key/12116