You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adjusts wording and removes disk writing requirement. (#298)
We should try to avoid using acronyms in specifications as it makes it harder for new participants in the ecosystem to process, so I have changed all references to EL and CL to execution layer and consensus layer. Also, in many cases in this document the term EL was used when EL client was meant, so I appended "client" as appropriate.
While writing to the filesystem is useful in some setups, in others it may be a security risk. For this reason, the **MUST** write to disk was changed to a **SHOULD** write to disk so that a client that doesn't write the token to disk isn't out of compliance.
Copy file name to clipboardExpand all lines: src/engine/authentication.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
# Authentication
2
2
3
-
The `engine` JSON-RPC interface, exposed by EL and consumed by CL, needs to be authenticated. The authentication scheme chosen for this purpose is [JWT](https://jwt.io/).
3
+
The `engine` JSON-RPC interface, exposed by execution layer clients and consumed by consensus layer clients, needs to be authenticated. The authentication scheme chosen for this purpose is [JWT](https://jwt.io/).
4
4
5
5
The type of attacks that this authentication scheme attempts to protect against are the following:
6
6
7
-
- RPC port exposed towards the internet, allowing attackers to exchange messages with EL engine API.
8
-
- RPC port exposed towards the browser, allowing malicious webpages to submit messages to the EL engine API.
7
+
- RPC port exposed towards the internet, allowing attackers to exchange messages with execution layer engine API.
8
+
- RPC port exposed towards the browser, allowing malicious webpages to submit messages to the execution layer engine API.
9
9
10
10
The authentication scheme is _not_ designed to
11
11
@@ -16,38 +16,38 @@ Authentication is performed as follows:
16
16
17
17
- For `HTTP` dialogue, each `jsonrpc` request is individually authenticated by supplying `JWT` token in the HTTP header.
18
18
- For a WebSocket dialogue, only the initial handshake is authenticated, after which the message dialogue proceeds without further use of JWT.
19
-
- Clarification: The websocket handshake starts with the CL performing a websocket upgrade request. This is a regular http GET request, and the actual
19
+
- Clarification: The websocket handshake starts with the consensus layer client performing a websocket upgrade request. This is a regular http GET request, and the actual
20
20
parameters for the WS-handshake are carried in the http headers.
21
21
- For `inproc`, a.k.a raw ipc communication, no authentication is required, under the assumption that a process able to access `ipc` channels for the process, which usually means local file access, is already sufficiently permissioned that further authentication requirements do not add security.
22
22
23
23
24
24
## JWT specifications
25
25
26
-
- The EL**MUST** expose the authenticated Engine API at a port independent from existing JSON-RPC API.
26
+
- The execution layer client**MUST** expose the authenticated Engine API at a port independent from existing JSON-RPC API.
27
27
- The default port for the authenticated Engine API is `8551`. The Engine API is exposed under the `engine` namespace.
28
-
- The EL**MUST** support at least the following `alg``HMAC + SHA256` (`HS256`)
29
-
- The EL**MUST** reject the `alg``none`.
28
+
- The execution layer client**MUST** support at least the following `alg``HMAC + SHA256` (`HS256`)
29
+
- The execution layer client**MUST** reject the `alg``none`.
30
30
31
31
32
-
The HMAC algorithm implies that several CLs will be able to use the same key, and from an authentication perspective, be able to impersonate each other. From a deployment perspective, it means that an EL does not need to be provisioned with individual keys for each CL.
32
+
The HMAC algorithm implies that several consensus layer clients will be able to use the same key, and from an authentication perspective, be able to impersonate each other. From a deployment perspective, it means that an EL does not need to be provisioned with individual keys for each consensus layer client.
33
33
34
34
## Key distribution
35
35
36
-
The `EL`and `CL`clients **MUST** accept a cli/config parameter: `jwt-secret`, which designates a file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens.
36
+
The execution layer and consensus layer clients **SHOULD** accept a configuration parameter: `jwt-secret`, which designates a file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens.
37
37
38
-
If such a parameter is not given, the client **SHOULD** generate such a token, valid for the duration of the execution, and store the hex-encoded secret as a `jwt.hex` file on the filesystem. This file can then be used to provision the counterpart client.
38
+
If such a parameter is not given, the client **SHOULD** generate such a token, valid for the duration of the execution, and **SHOULD**store the hex-encoded secret as a `jwt.hex` file on the filesystem. This file can then be used to provision the counterpart client.
39
39
40
-
If such a parameter _is_ given, but the file cannot be read, or does not contain a hex-encoded key of `256` bits, the client should treat this as an error: either abort the startup, or show error and continue without exposing the authenticated port.
40
+
If such a parameter _is_ given, but the file cannot be read, or does not contain a hex-encoded key of `256` bits, the client **SHOULD** treat this as an error: either abort the startup, or show error and continue without exposing the authenticated port.
41
41
42
42
## JWT Claims
43
43
44
44
This specification utilizes the following list of JWT claims:
45
45
46
-
- Required: `iat` (issued-at) claim. The EL**SHOULD** only accept `iat` timestamps which are within +-60 seconds from the current time.
47
-
- Optional: `id` claim. The CL **MAY** use this to communicate a unique identifier for the individual CL node.
48
-
- Optional: `clv` claim. The CL **MAY** use this to communicate the CL node type/version.
46
+
- Required: `iat` (issued-at) claim. The execution layer client**SHOULD** only accept `iat` timestamps which are within +-60 seconds from the current time.
47
+
- Optional: `id` claim. The consensus layer client **MAY** use this to communicate a unique identifier for the individual consensus layer client.
48
+
- Optional: `clv` claim. The consensus layer client **MAY** use this to communicate the consensus layer client type/version.
49
49
50
-
Other claims **MAY** be included in the JWT payload. If the EL sees claims it does not recognize, these **MUST** be ignored.
50
+
Other claims **MAY** be included in the JWT payload. If the execution layer client sees claims it does not recognize, these **MUST** be ignored.
0 commit comments