ConfD User Community

RESTCONF Token based authentication

Hi,

Does anyone was able to do this successfully?

Thanks

1 Like

You may want to consider using X509 authentication (certificate/keys).
See:

For ConfD RESTCONF token authentication there is an appnote that provide guidance:

We have setup external authentication. The only tricky part was figuring out how it was all supposed to be work; the result was reasonably straightforward after we had overcome the learning curve. We currently validate username/password only but could quite easily switch it to validate tokens.

1 Like

Hi @cohult, I’m working on Token based RESTCONF authentication method. Yes, certificate /keys is one of the possible ways.

Hi @tspencer
Have you tried this? Which tool is better for token generation? if you have used any.

How to maintain the Token consistently for username/password ?

Thanks

No, I haven’t tried token-based per se, @dsiddagangappa, but from the docs, it seems that the hard part is the external auth bit (which I have done and is all that we allow in ConfD). That said, maybe both parts are generally hard. Our product is an OAuth server, so my view of creating and maintaining tokens isn’t average :grinning:

I’d do like this:

Use one of the OAuth flows to get a token – for example ROPC if you want to tie it to a user and don’t have a browser involved (see section 4.3 or RFC 6749); if you have a browser, then use the code flow (section 4.1 of the same RFC, preferable with PKCE). Either way, in the extral auth app that you configure in confd.conf, validate the token. If that token is a JWT, then it’ll amount to a digital signature validation and return the sub claim as the user with other attributes (like groups, potentially). If it’s an opaque reference token, in the external auth program, call the OAuth server’s introspection endpoint (RFC 7662).

If issuing and validating tokens is out of scope for what you guys need to develop, but you want to do token-based auth with ConfD, checkout curity.io. We can certainly help with those bits. (Sorry, shameless plug :sunglasses:)