7. Standalone JWT server
JWT authentication is a popular authentication method for HTTP service and client, App Mesh implemented a JWT Server with RBAC (role based access control) and this service can be used to build a JWT server for other systems. detail design refer to JWT Design
7.1. Solution
7.1.1. App Mesh can manage bellow concepts
Users
Roles
Groups
Permissions
7.1.2. Bellow APIs for security
| Index | Method | URI | Body/Headers | Desc |
|---|---|---|---|---|
| 1 | POST | /appmesh/login | Username=base64(uname) Password=base64(passwd) Optional: Expire-Seconds=600 |
JWT authenticate login |
| 2 | POST | /appmesh/auth | curl -X POST -k -H "Authorization:Bearer Optional: Auth-Permission=permission_id |
JWT token and permission authenticate |
| 3 | POST | /appmesh/user/admin/passwd | New-Password=base64(passwd) | Change user password |
| 4 | POST | /appmesh/user/usera/lock | admin user to lock usera | |
| 5 | POST | /appmesh/user/usera/unlock | admin user to unlock usera | |
| 6 | PUT | /appmesh/user/usera | Add usera to Users | |
| 7 | DEL | /appmesh/user/usera | Delete usera | |
| 8 | GET | /appmesh/users | Get user list | |
| 9 | GET | /appmesh/roles | Get role list | |
| 10 | POST | /appmesh/role/roleA | Update roleA with defined permissions | |
| 11 | DELETE | /appmesh/role/roleA | Delete roleA | |
| 12 | GET | /appmesh/user/permissions | Get user self permissions, user token is required in header | |
| 13 | GET | /appmesh/permissions | Get all permissions | |
| 14 | GET | /appmesh/user/groups | Get all user groups |
7.1.3. Manage
Other system can call the 10th API to define Roles and Permissions, and call 6th API to define user with corresponding role.
7.1.4. Authenticate
System login and permission can all forward to App Mesh 1st and 2nd API to do the authentication.
7.1.5. UI
All those managements API can be operated by UI
7.1.6. Deploy a JWT server with SSL certificate
compose.yml
version: "3"
services:
jwt_appmesh:
image: laoshanxi/appmesh:latest
hostname: www.appmesh.com
restart: always
volumes:
- /etc/ssl/ca-bundle.pem:/opt/appmesh/ssl/ca.pem
- ./server.pem:/opt/appmesh/ssl/server.pem
- ./server-key.pem:/opt/appmesh/ssl/server-key.pem
- ./security.json:/opt/appmesh/security.json:rw
ports:
- "6060:6060"
environment:
- APPMESH_REST_RestListenAddress=www.appmesh.com
jwt_appmesh_ui:
image: laoshanxi/appmesh-ui:latest
restart: always
volumes:
- ./server.pem:/etc/nginx/conf.d/server.crt
- ./server-key.pem:/etc/nginx/conf.d/server.key
ports:
- "8443:443"
environment:
- APP_MESH_SERVER_HOST=www.appmesh.com
links:
- jwt_appmesh
depends_on:
- jwt_appmesh