This repository has been archived by the owner on Nov 26, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
Authentication flow
Farshid Tavakolizadeh edited this page Sep 20, 2019
·
11 revisions
Workflow for setting up the Deployment Agent (client) on a device and registering it to Deployment Manager (server) for the first time.
The device and server talk over two protocols: ZeroMQ and HTTP. ZeroMQ is for pub/sub communication (sending software updates, getting back status and logs) and HTTP is for management tasks over a RESTful API. The Deployment GUI makes extensive use of the RESTful API.
The sequence is illustrated below:
- The Deployment Manager generates a persistent CurveZMQ key pair (Mkeypair).
- A user authenticates1 and asks for a token2 from server over the RESTful API (TLS/CA-signed certificate).
- The user manually copies the token to device.
- The user installs the Deployment Agent on device, which starts a background service.
- The Deployment Agent generates a persistent CurveZMQ key pair (Akeypair).
- The Deployment Agent submits the token, its CurveZMQ public key (Apub), and metadata for device registration to server's RESTful API.
- The Deployment Manager verifies the token and registration document, if valid:
- Invalidates the token and registers the device
- Responds with its CurveZMQ public key (Mpub).
- The Deployment Agent contacts the server over ZeroMQ. They establish a secure channel using CurveZMQ3.
1 OpenID Connect authentication.
2 Token is an ephemeral key, valid for a short time and single usage.
3 We use the Ironhouse pattern.