osprey_validator 🐟 🦅

a collection of prototype service wrappers for added client validations

JWT area:

Rather than having the JWT consumer exposed externally, expose a wrapper service that does additional policy validation and decryption, for hardening on top of JWT services. Token creating systems can also have wrappers, encrypting/signing the JWT before handing it back to the client to make it tamper proof, so that the token data can't be read by the client or tampered with at all.

The approach uses mTLS (client auth) in HAProxy, letting valid client certificates fetch the signed tokens, which then can be used with the (demo service) for 60 seconds.

With this approach, the JWT is no longer treated directly as a JWT, but instead is treated as a signed blob with custom processing, then treated as a JWT under the hood.

For JWT generation and validation starting point (as used in the prototype osprey 1) see https://github.com/jpegleg/royal_blobs_jwt_service

For JWT generation and validation starting point + program execution template (as used in the prototype osprey 2) see https://github.com/jpegleg/fixadm

Osprey 1

Compile the royal_blobs_jwt_service with cargo, put the binary in the Docker build dir with this is a working demonstration:

https://github.com/jpegleg/osprey_validator/tree/main/docker/osprey_1

The demo includes demo private keys, don't use those for real stuff, only demo.

Osprey 2

Compile the fixadm_service with cargo, put the binary in the Docker build dir along with the demo files and generated files:

https://github.com/jpegleg/osprey_validator/tree/main/docker/osprey_2

The example execututions and HMAC need to be adjusted as needed per use case

Osprey 3

Compile the three_pki with cargo, put the binary in the Docker build dir along with the demo files and generated files:

https://github.com/jpegleg/osprey_validator/tree/main/docker/osprey_3

The example execututions and HMAC need to be adjusted as needed per use case