Is the cookie hash key specific to the appid adapter?

Question

looking the IBM istio appid adapter for auth purposes, i could see that the adapter generates the cookie in code using a random hashkey thats created at the adapter's startup.

If i want to run multiple instances of the adapter for high availability, won't that be problematic as they don't share the cookie signing key ?

Looking at the source code what is the config.proto in config\adapter\config.proto used for ? What could one potentially use it for ?

I have trouble understanding what you are asking. Any links and more details? — data_henrik, Oct 17 '19 at 05:22
https://cloud.ibm.com/docs/services/appid?topic=appid-istio-adapter — sm_, Oct 17 '19 at 05:31
https://github.com/ibm-cloud-security/app-identity-and-access-adapter — sm_, Oct 17 '19 at 05:32
Your question is not related to the Istio adapter, but to App ID in high availability scenarios, right? — data_henrik, Oct 17 '19 at 05:45

score 1 · Answer 1 · answered Oct 17 '19 at 13:00

1

You're absolutely right. At the moment adapter can only run as a single instance, as there's no cookie sharing mechanism implemented yet. This is something we intend to address in future releases.

answered Oct 17 '19 at 13:00

Anton

3,166
1
13
12

I thought this was the case, but after digging into the code the adapter first looks into k8s secret `appidentityandaccessadapter-cookie-sig-enc-keys` – sm_ Oct 21 '19 at 00:46

score 0 · Accepted Answer · answered Oct 21 '19 at 00:47

0

Using a common signing key for cookies is supported but undocumented. The adapter looks for k8s secret named appidentityandaccessadapter-cookie-sig-enc-keys in the istio-system namespace

answered Oct 21 '19 at 00:47

sm_

2,572
2
17
34

Is the cookie hash key specific to the appid adapter?

2 Answers2