EMCP Authentication
How the EMCP Backend authenticates against the VHSM and issues token for EMCP frontend.
EMCP Backed Authentication
EMCP can authenticate against the VHSM using the userpass
authentication method already present in Vault: https://developer.hashicorp.com/vault/api-docs/auth/userpass#login. This plugin is mounted at userpass
, username is emcp
.
The token periodically expires and needs to be renewed: https://developer.hashicorp.com/vault/api-docs/auth/token#renew-a-token-self. It would also be possible to reauthenticate, but this is the preferred way.
Policy
Currently the policy allows all access. This will be limited in the future if all required interactions are defined.
EMCP Frontend Authentication
The EMCP backend should issue JWTs for an authenticated frontend user. This JWT can be used with the emcp
authentication method to gain an access token for the customer namespace in the VHSM.
Usage of the JWT from the frontend: https://developer.hashicorp.com/vault/api-docs/auth/jwt#jwt-login. CORS is already set to allow access.
For this the EMCP backend should provide a JWKS endpoint that is reachable by the VHSM. JWTs should be signed with an ES256
key.
iss
, aud
and sub
must be set exactly to these values. namespace
should be the id of the namespace that was created for the customer. user-id
is the id of the user requesting the JWT.
Policy
Currently the policy allows full access to the namespace. This will be limited in the future if all required interactions are defined. The user-id
can be used as a template variable in the policy.
Last updated