Node pairing is the process of establishing a federated network between two Corteza instances (nodes).
The node identification step exchanges information about the nodes required to establish a connection (URL address, node name, and some other metadata).
The node identification step doesn’t exchange any authentication tokens apart from the OTT token.
- Node A administrator registers node B and generates a node URI
Node registration step lets node A know about node B. The generated node URI identifies node A and looks like this:
- Node A administrator sends the node URI to the node B administrator
The transferred node URI lets node B administrator quickly register node A.
This step is performed manually by the node administrators. The two administrators should use a secure channel to exchange this information.
- Node B administrator registers node A using the node URI
Node registration step lets node B know about node A. Both nodes have been identified and are prepared to perform the node handshake.
The node handshake step configures the nodes and exchanges authentication tokens that the nodes use to access protected resources.
Corteza Federation leverages Corteza’s already established authentication facility, using system users and JWT tokens (later referred as a token).
This enables us to reduce potential security holes and leverage our RBAC access control facility.
All authentication tokens are unique, even the ones in the same node pair.
- Node B administrator initializes the handshake with node A
Node B initializes the state and generates a
$TOKEN_Bthat can be used by node A when accessing protected resources.
- Node B sends a handshake request to node A
Node A administrator is notified (via email) that node B wishes to establish a federated network. The handshake request must be manually confirmed by the node A administrator.
This request is authenticated by the
The actual authentication tokens authenticate all following requests.
- Node A administrator confirms the handshake request
Node A initializes the state and generates a
$TOKEN_Athat can be used by node B when accessing protected resources.
- Node A completes the handshake step
Node A sends the generated
$TOKEN_Ato node B with a confirmation that the handshake was successful.