Authentication
The different KuFlow integration services implement a series of security mechanisms that a worker will have to configure. Depending on the nature of the service you want to connect to, HTTP Basic authentication, token-based authentication, and Mutual TLS authentication may be required.
The access credentials to the APIs are obtained from the KuFlow application. To do this, a user with the appropriate permissions must go to the "Applications" section within the settings module. From here you can create as many Applications as you want. Think of the application concept as a concept that encompasses external access. Each application created will have a Identifier and a Password that will be required to access Kuflow API services.
In addition, for the GRPC api, it is necessary to implement mTLS-based authentication, so we need a client certificate and a private key. The management and use of these certificates and keys for the mTLS connection happens transparently to the user when using one of the SDKs we provide for the construction of your Workers.
This section details the security mechanisms required for each service.
REST API authentication
HTTP Basic Authentication is used as the authentication mechanism. In conjunction with HTTPS protocol, we obtain a mechanism that guarantees the confidentiality of the data and we maintain access to the API in a simple way. To access this API you need to obtain a identifier and password pair through an "Application" configured in KuFlow.
How to use
You simply have to add to the headers of your request, the header:
Authorization: Basic <credentials>
Where credentials is the Base64 encoding of identifier and password joined by a single colon ":". For example:
Authorization: Basic d29ya2VyMDE6cGFzc3dvcmQ=
In our SDKs, we have Rest clients that perform the authentication mechanism transparently to you.
GRPC API Temporal authentication
From the KuFlow web application, it is possible to download a sample Worker generated for processing in each of the languages for which we offer an SDK. This option can be found in the Process definition screens. This example or template will be ready to use by following the instructions in the Readme that is also generated in the download. These examples use our SDK to connect to the GRPC API and transparently configure all the authentication and authorization mechanisms set up for this API. Therefore, this documentation is purely conceptual.
Authentication with mTLS
Temporal supports Mutual TLS (mTLS) as a way of encrypting network traffic between workers and a Temporal service. Therefore we will need to properly configure our clients.
In general you should know that to generate the right SSL context for mTLS you need to have three elements:
- The certificate authority (CA) certificate
- The client certificate (Worker)
- The private key of the client certificate (Worker)
The management of these elements happens transparently to you when using our SDKs. It is recommended to consult the examples of each SDK in our GitHub repositories, if you want to know in depth details of implementation.
Authorization with JWT
KuFlow implements an advanced permission mechanism that controls the actions that a certain user can perform in the application and the entities to which they have access. Similarly, the Workers are subject to similar restrictions. For example, a user can grant or revoke permission to a Worker at any time in the application, therefore a more dynamic Authorization mechanism is needed than the one based on certificates, which are entities with a longer life span.
For this, we use JWT (JSON Web Tokens). Tokens are issued through the rest API and together with mTLS, complete a strong authentication and authorization system. These tokens have a specific duration, so an important aspect to take into account is that you must refresh the tokens if they expire.
The JWT tokens will be sent to the KuFlow's Temporal server, which will be in charge of validating them and authorizing the necessary request. Our SDKs provide the necessary mechanisms to add the necessary headers in the GRPC requests to the Temporal services. You can find examples of how to configure them on our Github repositories. Also, you can also consult our REST API reference to inspect this request to obtain the token but remember, the use and maintenance of this JWT token happens transparently to you when using our SDKs so you don't have to perform additional operations.
