This repository contains a couple of resonate applications that showcase the usage of resonate's token based authentication and prefix based authorization.
These examples use JWT tokens generated using jwt cli and self generated private and public key pairs. For production usage we recommend more robust security providers like keycloak.
token-auth: Use this when you need to authenticate clients (ensure only trusted clients can connect), but all authenticated clients should have full access to all promises. This is suitable for private networks or microservices where every authenticated client is equally trusted.
prefix-authz: Use this when you need both authentication and data isolation. Clients are issued tokens with a prefix claim that restricts them to only access promises matching that prefix. This enables multi-tenant systems, role-based access control, or isolating different workers/services from accessing each other's promises.
For all the examples in this repository we will require a similar setup, when necessary the examples will go through some of these steps again.
Install the resonate server:
# macos
brew install resonatehq/tap/resonate
Generate RSA key pair:
# Generate private key (keep this secret!)
openssl genrsa -out private_key.pem 2048
# Extract public key from private key (will use this one with the resonate server)
openssl rsa -in private_key.pem -pubout -out public_key.pem
Install jwt-cli:
# macOS
brew install mike-engel/jwt-cli/jwt-cli
# Other platforms: follow instructions at https://github.com/mike-engel/jwt-cli#installation
jwt-cli quick usage guide:
# Encode/sign JWT (this is all we will need for this example)
jwt encode --secret @private_key.pem -A RS256 '{"prefix":"myPrefix"}'
All examples will start the Resonate server the same way:
resonate dev --api-auth-public-key public_key.pem
This command starts the Resonate server with JWT-based authentication and authorization.