Skip to content

Jans PDP Mesh

Jump to bottom
Michael Schwartz edited this page May 19, 2024 · 72 revisions

lock-cederaling-architecture

Cedarling Requirements

  1. Embed PDP Rust Cedar PDP
  2. HTTPS SSE: Process notifications of updated Token Status List JWT; validate with Auth Server Public Key
  3. Lock Master POST /audit Send telemetry, health and logs to OAuth protected Lock Master endpoint
  4. Auth Server POST /register If no client creds are present, generate keys and perform OpenID Dynamic Client Registration (upload JWKS); present SSA JWT if available. Request 24 hour client expiration.
  5. Auth Server POST /token Use Client Credential Grant to obtain a JWT access token from Auth Server, needed to call the audit endpoint.
  6. GET GIT: On startup and periodically retreive policy updates from Git
  7. GET /jwks: On startup and periodically retreive latest Auth Server JWKS keys (to validate any JWTs)
  8. Future: OpenID AuthZEN API REST interface (alteranative Cedar SDK)

Lock Master Requirements

  1. /publish endpoint protected by scope https://jans.io/scopes/lock/publish which queues data for eventual response by Lock Master via SSE to all suscribed browsers
  2. /audit endpoint protected by scope https://jans.io/scopes/lock/audit for telemetry and logs.
  3. /lock_sse endpoint protected by scope https://jans.io/scopes/lock/lock_sse used by Cederalings to subscribe for updates.

Auth Server Requirements

  1. Add status index value to JWT
  2. Create Auth Server config property to force JWTs for all tokens to have a jti value
  3. Generate updated Status list JWT either periodically or real-time (configurable by admin) and invoke /publish on Lock Master.

Sequence Diagrams

Clone this wiki locally