Skip to content
This repository has been archived by the owner on Nov 26, 2020. It is now read-only.

Authentication flow

Farshid Tavakolizadeh edited this page Sep 20, 2019 · 11 revisions

Workflow for setting up the Deployment Agent (client) on a device and registering it to Deployment Manager (server) for the first time.

The device and server talk over two protocols: ZeroMQ and HTTP. ZeroMQ is for pub/sub communication (sending software updates, getting back status and logs) and HTTP is for management tasks over a RESTful API. The Deployment GUI makes extensive use of the RESTful API.

The sequence is illustrated below:

CPSwarm Deployment Tool - Authentication flow

  1. The Deployment Manager generates a persistent CurveZMQ key pair (Mkeypair).
  2. A user authenticates1 and asks for a token2 from server over the RESTful API (TLS/CA-signed certificate).
  3. The user manually copies the token to device.
  4. The user installs the Deployment Agent on device, which starts a background service.
  5. The Deployment Agent generates a persistent CurveZMQ key pair (Akeypair).
  6. The Deployment Agent submits the token, its CurveZMQ public key (Apub), and metadata for device registration to server's RESTful API.
  7. The Deployment Manager verifies the token and registration document, if valid:
    1. Invalidates the token and registers the device
    2. Responds with its CurveZMQ public key (Mpub).
  8. The Deployment Agent contacts the server over ZeroMQ. They establish a secure channel using CurveZMQ3.

1 OpenID Connect authentication.
2 Token is an ephemeral key, valid for a short time and single usage.
3 We use the Ironhouse pattern.