EMCP Backed Authentication

EMCP can authenticate against the VHSM using the userpass authentication method already present in Vault: https://developer.hashicorp.com/vault/api-docs/auth/userpass#login. This plugin is mounted at userpass, username is emcp.

The token periodically expires and needs to be renewed: https://developer.hashicorp.com/vault/api-docs/auth/token#renew-a-token-self. It would also be possible to reauthenticate, but this is the preferred way.

Policy

Currently the policy allows all access. This will be limited in the future if all required interactions are defined.

EMCP Frontend Authentication

The EMCP backend should issue JWTs for an authenticated frontend user. This JWT can be used with the emcp authentication method to gain an access token for the customer namespace in the VHSM.

Usage of the JWT from the frontend: https://developer.hashicorp.com/vault/api-docs/auth/jwt#jwt-login. CORS is already set to allow access.

For this the EMCP backend should provide a JWKS endpoint that is reachable by the VHSM. JWTs should be signed with an ES256 key.

{
  "iss": "emcp",
  "aud": "vhsm",
  "sub": "emcp-user",
  "namespace": "team-id",
  "user": "user-id",
  "exp": 1712013572,
  "iat": 1712012972,
  "nbf": 1712012972
}

iss, aud and sub must be set exactly to these values. namespace should be the id of the namespace that was created for the customer. user-id is the id of the user requesting the JWT.

Policy

Currently the policy allows full access to the namespace. This will be limited in the future if all required interactions are defined. The user-id can be used as a template variable in the policy.