{"id":20475219,"url":"https://github.com/Moranilt/jwt-gRPC","last_synced_at":"2025-05-09T01:32:00.966Z","repository":{"id":177288049,"uuid":"658260033","full_name":"Moranilt/jwt-gRPC","owner":"Moranilt","description":null,"archived":false,"fork":false,"pushed_at":"2023-07-06T13:35:53.000Z","size":105,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-03T12:33:16.174Z","etag":null,"topics":["consul","docker-compose","golang","grpc","jwt","microservice","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Moranilt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-25T08:41:23.000Z","updated_at":"2023-06-30T11:51:31.000Z","dependencies_parsed_at":null,"dependency_job_id":"db851e9a-cfeb-49f5-8b05-301af8ab4dca","html_url":"https://github.com/Moranilt/jwt-gRPC","commit_stats":null,"previous_names":["moranilt/jwt-http2"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Moranilt%2Fjwt-gRPC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Moranilt%2Fjwt-gRPC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Moranilt%2Fjwt-gRPC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Moranilt%2Fjwt-gRPC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Moranilt","download_url":"https://codeload.github.com/Moranilt/jwt-gRPC/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253174391,"owners_count":21865856,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["consul","docker-compose","golang","grpc","jwt","microservice","vault"],"created_at":"2024-11-15T15:15:01.707Z","updated_at":"2025-05-09T01:32:00.952Z","avatar_url":"https://github.com/Moranilt.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# jwt-gRPC\n\nThe JWT is implemented according to [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) using [gRPC](https://grpc.io/).\n\nCore idea is to make fast and secure service to create and manage JWT-tokens and not store secure data into payload of tokens.\n\nTo create and validate tokens application using private and public RSA certificates. That is why you need **public** and **private** certificates. **Private** - needs to sign JWT, **public** needs to other services to validate it.\n\n## Environments\n| Name | Type | Description |\n| ---- | ---- | ----------- |\n| PORT_GRPC | integer | gRPC port for main server |\n| PORT_REST | integer | Port for REST **/watch** endpoint |\n| PRODUCTION | boolean | Turn on/off production mode |\n| CONSUL_HOST | string | Consul host. Only hostname and port(localhost:8500) |\n| CONSUL_TOKEN | string | Consul [ACL](https://developer.hashicorp.com/consul/tutorials/security/access-control-setup-production) token. It can be empty. |\n| CONSUL_KEY_FOLDER | string | Core folder of all configuration files |\n| CONSUL_KEY_VERSION | string | Name of folder with version |\n| CONSUL_KEY_FILE | string | Name of configuration file |\n| TRACER_URL | string | URL of jaeger with protocol(http://localhost:14268/api/traces) |\n| TRACER_NAME | string | name of application in Jaeger UI |\n| VAULT_MOUNT_PATH | string | Vault mount name, simply name of KV storage |\n| VAULT_PUBLIC_CERT_PATH | string | Path to store public certificate |\n| VAULT_PRIVATE_CERT_PATH | string | Path to store private certificate |\n| VAULT_REDIS_CREDS_PATH | string | Path to store redis connection data |\n| VAULT_TOKEN | string | Vault token to connect using client |\n| VAULT_HOST | string | Vault host with protocol and port(http://localhost:8200) |\n\n## Main tools\n\n### Redis\nUsing to store secret data by token-uuid. Every token has his own UUID which is key in redis, and userId which is value for this key.\n\n### Consul\nStore you configuration to [Consul](https://www.consul.io/) by versioning your configs with app. App has endpoint **/watch** on which Consul will send data to if you would change configs.\n\nIf you have app of version **v1.0.1** so it will be waiting for changes of config with version **v1.0.1**.\n\nPath is formed as:  \n`/folder/version/file`\n\nUsing ENV variables:  \n`/CONSUL_KEY_FOLDER/CONSUL_KEY_VERSION/CONSUL_KEY_FILE`\n\nExample:  \n`/jwt_auth/v1.0.0/config.yaml`\n\n### Jaeger\n[Jaeger](https://www.jaegertracing.io/): open source, end-to-end distributed tracing\nMonitor and troubleshoot transactions in complex distributed systems. Fast and very comfortable to use.\n\n### Vault\n[Vault](https://www.vaultproject.io/) is a complex tool. In our situation we are using it to store Redis connection data and certificates.\n\nThe main reason to use it, that you can create tokens for others applications and apply policies to read only public certificate.\n\nFor exampple: \n\nWe have **public** and **private** certificates in folder **crt**. Paths will be **/authentication/crt/public** and **/authentication/private**.\n\nWe have application **users** which want to validate JWT tokens created by our application.\n\nWe need to follow next steps to allow to read public certificate from Vault:\n1. Create policy to only read from **/authentication/crt/public**(user-policy.hcl)\nExample of **user-policy.hcl**:\n```hcl\npath \"authentication/data/crt/public\" {\n  capabilities = [\"read\"]\n}\n```\n2. Write this policy to Vault\n```bash\nvault policy write user-policy /policies/user-policy.hcl\n```\n3. Create vault-token with this policy\n```bash\nvault token create -policy=user-policy\n```\n4. Give this new token to **user**-app\n\nNow you can read data only from **/authentication/crt/public**.\n\n## Configuration\nYou can find default configuration in repository [config.yaml](https://github.com/Moranilt/jwt-gRPC/blob/main/config.yaml)\n\n### Consul\n\n| Name || Type | Description |\n| ---- | - | ---- | ----------- |\n| issuer | | string | [JWT iss](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) |\n| subject | | string | [JWT sub](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2) |\n| audience | | string[] | [JWT aud](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3) |\n| ttl | | object | TTL data for tokens |\n| | access | string | TTL for access token |\n| | refresh | string | TTL for refresh token |\n\nTTL using his own measurement system. You can pass `s`, `m`, `h` and `d`.\n\n`s` - seconds  \n`m` - minutes  \n`h` - hours  \n`d` - days\n\n### Vault\nBy default we have Redis data and certificates in Vault.\n\nRedis data([redis_config.json](https://github.com/Moranilt/jwt-gRPC/blob/main/init/vault/redis_config.json)):\n```json\n{\n  \"host\": \"localhost:6379\",\n  \"password\": \"\"\n}\n```\n\nCertificates:\n```json\n{\n  \"key\": \"certificate string\"\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMoranilt%2Fjwt-gRPC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMoranilt%2Fjwt-gRPC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMoranilt%2Fjwt-gRPC/lists"}