Skip to content

Commit 861d08d

Browse files
lsafer-meemerlsafer-meemer
committed
docs: Security implementation docs
1 parent b24ed0d commit 861d08d

2 files changed

Lines changed: 73 additions & 0 deletions

File tree

docs/Http.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
### 1.1. Http: Security: SameClient using OAuth Bearer Token Usage
2+
3+
The client is considered authenticated with itself
4+
as the subject when it provides an access token
5+
using [RFC6750](https://datatracker.ietf.org/doc/html/rfc6750)
6+
with either its client id in the `client_id` claim
7+
and the `iss` claim is a trusted **subject** identity
8+
provider or its client id in the `sub` claim and
9+
the `iss` is a trusted **client** identity provider.
10+
11+
### 1.2. Http: Security: SameSoftware using OAuth Bearer Token Usage
12+
13+
The client is considered authenticated with its software
14+
as the subject when it provides an access token
15+
using [RFC6750](https://datatracker.ietf.org/doc/html/rfc6750)
16+
with its software id in the `software_id` claim
17+
and the `iss` claim is either a trusted **subject** identity
18+
provider or a trusted **client** identity provider.
19+
20+
### 1.3. Http: Security: SameSubject using OAuth Bearer Token Usage
21+
22+
The client is considered authenticated with some
23+
subject in some issuer when it provides an access token
24+
using [RFC6750](https://datatracker.ietf.org/doc/html/rfc6750)
25+
with the subject matching the `sub` claim and the
26+
subject issuer matching the `iss` claim.

docs/Kafka.md

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
### 1. Kafka: Event Security: SameClient, SameSoftware, SameService using Signatures
2+
3+
The client, software or service (the entity) is considered authenticated
4+
with itself as the subject when it provides a header `Authorization`
5+
with the `auth-scheme` being the literal `Sig` and the value being
6+
a JWS signed by a trusted key of the entity.
7+
8+
The means for obtaining or verifying the key used for signing
9+
the jwt is out of the scope of this specification.
10+
11+
- `topic` claim:
12+
13+
The jwt should include the claim `topic` which should be the
14+
topic the jwt was dispatched to.
15+
16+
- `iss` claim:
17+
18+
The jwt should include the claim `iss` which should be the
19+
id of the entity.
20+
21+
- `aud` claim:
22+
23+
The jwt should include the claim `aud` which should include
24+
a previously agreed upon name or uri of the recipient. If no
25+
explicit recipient is targeted, this claim should be omitted.
26+
27+
- `v_hash` claim:
28+
29+
The JWT should include the claim `v_hash` with its value being
30+
the base64url encoding of the left-most half of the hash of
31+
the octets of the ASCII representation of the event value,
32+
where the hash algorithm used is the hash algorithm used in
33+
the `alg` Header Parameter of the JWS Header.
34+
This is similar to `c_hash` and `at_hash` at
35+
[https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken]
36+
37+
Example (ignore new line proceeded with four spaces):
38+
39+
```jws
40+
Authorization: Sig eyJhbGciOiJIUzI1NiIsImtpZCI6Imc3ZlB6MnZMIn0.
41+
eyJ0b3BpYyI6Ii0tdG9waWMtbmFtZS0tIiwiaXNzIjoiX19zb2Z0d2FyZV9pZF9
42+
fIiwiYXVkIjoiaHR0cHM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tLyIsImlhdCI6MT
43+
UxNjIzOTAyMiwidl9oYXNoIjoiVmJtMmVueFVLb1hiZnRNZm9yaC0tdyJ9.
44+
Pwr-zMtT1YdmgWw84QOWwCL4nLU8eH1aWTu481uWuM4
45+
46+
{"firstname":"John","lastname":"Doe"}
47+
```

0 commit comments

Comments
 (0)