Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/unitvectory-labs/serviceauthcentral

Simplify microservice security with ServiceAuthCentral: Centralized, open-source authorization in the cloud, minus the shared secrets.
https://github.com/unitvectory-labs/serviceauthcentral

graphql java-17 oauth2 serviceauthcentral spring-boot

Last synced: 1 day ago
JSON representation

Simplify microservice security with ServiceAuthCentral: Centralized, open-source authorization in the cloud, minus the shared secrets.

Awesome Lists containing this project

README 

        
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Work In Progress](https://img.shields.io/badge/Status-Work%20In%20Progress-yellow)](https://guide.unitvectorylabs.com/bestpractices/status/#work-in-progress)



# ServiceAuthCentral



Simplify microservice security with ServiceAuthCentral: Centralized, open-source authorization in the cloud, minus the shared secrets.



## References



- [ServiceAuthCentral](https://github.com/UnitVectorY-Labs/ServiceAuthCentral) - Simplify microservice security with ServiceAuthCentral: Centralized, open-source authorization in the cloud, minus the shared secrets.

- [ServiceAuthCentral Documentation](https://serviceauthcentral.unitvectorylabs.com/) - Documentation for ServiceAuthCentral

- [serviceauthcentralweb](https://github.com/UnitVectorY-Labs/serviceauthcentralweb) - Web based management interface for ServiceCloudAuth

- [serviceauthcentral-client-java](https://github.com/UnitVectorY-Labs/serviceauthcentral-client-java) - Java client for requesting tokens from the ServiceAuthCentral OAuth 2.0 authorization server.

- [serviceauthcentral-gcp-tofu](https://github.com/UnitVectorY-Labs/serviceauthcentral-gcp-tofu) - OpenTofu module for deploying a fully working ServiceAuthCentral deployment in GCP



## Overview



This application implements the OAuth 2.0 Client Credentials flow for the purpose of machine-to-machine authentication and authorization acting as a centralized authorization server. This means that for one client to vend an access token, in the form of a JWT, with the audience of another client, that authorization must be granted in this centralized server. This allows the servers verifying client requests to trust the client based on the JWT being valid from this authorization server.



The primary design objective of this project is that secrets are best avoided if possible. Every design decision is based around eliminating or minimizing the possibility of having any secrets that can be accidentally exposed.



This application is a SpringBoot application designed to run on GCP utilizing Firestore as the primary database and Cloud Key Management Service for signing JWT. By off loading the responsibility of managing the private key for signing JWTs to Google, it is less likely that key can be leaked.



The desire to eliminate secrets does not stop there. While the standard client_id and client_secret can be used, an alternative authentication mechanism that utilizes a JWT from the calling client, such as a GCP Service Account, can authenticate credentials exchanges to the authorization server in place of a client_secret. This eliminates the need for secrets to be stored when these JWTs can be utilized.



## Related Project



The front end web application for this is implemented in [UnitVectorY-Labs/serviceauthcentralweb](https://github.com/UnitVectorY-Labs/serviceauthcentralweb)



## Data Plane



The data plane for ServiceAuthCentral provides the token endpoint for exchanging tokens.



## Control Plane



The control plane for SerivceAuthCentral is a GraphQL API to manage the clients and authorizations.