Managing NATS Security

If you are using the JWT model of authentication to secure your NATS infrastructure or implementing an Auth callout service, you can administer authentication and authorization without having to change the servers’ configuration files.

You can use the nsc CLI tool to manage identities. Identities take the form of nkeys. Nkeys are a public-key signature system based on Ed25519 for the NATS ecosystem. The nkey identities are associated with NATS configuration in the form of a JSON Web Token (JWT). The JWT is digitally signed by the private key of an issuer forming a chain of trust. The nsc tool creates and manages these identities and allows you to deploy them to a JWT account server, which in turn makes the configurations available to nats-servers.

You can also use nk CLI tool and library to manage keys.

Creating, updating and managing JWTs programmatically

You can create, update and delete accounts and users programmatically using the following libraries:

Integrating with your existing authentication/authorization system

You can integrate NATS with your existing authentication/authorization system or create your own custom authentication using the Auth callout.

Examples

See NATS by Example under “Authentication and Authorization” for JWT and Auth callout server implementation examples.

User JWTs

User creation in Golang

Account JWTs

Golang example from https://natsbyexample.com/examples/auth/nkeys-jwts/go

  1. package main
  3. import (
  4.     "flag"
  5.     "fmt"
  6.     "log"
  8.     "github.com/nats-io/jwt/v2"
  9.     "github.com/nats-io/nkeys"
  10. )
  12. func main() {
  13.     log.SetFlags(0)
  15.     var (
  16.         accountSeed  string
  17.         operatorSeed string
  18.         name         string
  19.     )
  21.     flag.StringVar(&operatorSeed, "operator", "", "Operator seed for creating an account.")
  22.     flag.StringVar(&accountSeed, "account", "", "Account seed for creating a user.")
  23.     flag.StringVar(&name, "name", "", "Account or user name to be created.")
  25.     flag.Parse()
  27.     if accountSeed != "" && operatorSeed != "" {
  28.         log.Fatal("operator and account cannot both be provided")
  29.     }
  31.     var (
  32.         jwt string
  33.         err error
  34.     )
  36.     if operatorSeed != "" {
  37.         jwt, err = createAccount(operatorSeed, name)
  38.     } else if accountSeed != "" {
  39.         jwt, err = createUser(accountSeed, name)
  40.     } else {
  41.         flag.PrintDefaults()
  42.         return
  43.     }
  44.     if err != nil {
  45.         log.Fatalf("error creating account JWT: %v", err)
  46.     }
  48.     fmt.Println(jwt)
  49. }
  51. func createAccount(operatorSeed, accountName string) (string, error) {
  52.     akp, err := nkeys.CreateAccount()
  53.     if err != nil {
  54.         return "", fmt.Errorf("unable to create account using nkeys: %w", err)
  55.     }
  57.     apub, err := akp.PublicKey()
  58.     if err != nil {
  59.         return "", fmt.Errorf("unable to retrieve public key: %w", err)
  60.     }
  62.     ac := jwt.NewAccountClaims(apub)
  63.     ac.Name = accountName
  65.     // Load operator key pair
  66.     okp, err := nkeys.FromSeed([]byte(operatorSeed))
  67.     if err != nil {
  68.         return "", fmt.Errorf("unable to create operator key pair from seed: %w", err)
  69.     }
  71.     // Sign the account claims and convert it into a JWT string
  72.     ajwt, err := ac.Encode(okp)
  73.     if err != nil {
  74.         return "", fmt.Errorf("unable to sign the claims: %w", err)
  75.     }
  77.     return ajwt, nil
  78. }
  80. func createUser(accountSeed, userName string) (string, error) {
  81.     ukp, err := nkeys.CreateUser()
  82.     if err != nil {
  83.         return "", fmt.Errorf("unable to create user using nkeys: %w", err)
  84.     }
  86.     upub, err := ukp.PublicKey()
  87.     if err != nil {
  88.         return "", fmt.Errorf("unable to retrieve public key: %w", err)
  89.     }
  91.     uc := jwt.NewUserClaims(upub)
  92.     uc.Name = userName
  94.     // Load account key pair
  95.     akp, err := nkeys.FromSeed([]byte(accountSeed))
  96.     if err != nil {
  97.         return "", fmt.Errorf("unable to create account key pair from seed: %w", err)
  98.     }
  100.     // Sign the user claims and convert it into a JWT string
  101.     ujwt, err := uc.Encode(akp)
  102.     if err != nil {
  103.         return "", fmt.Errorf("unable to sign the claims: %w", err)
  104.     }
  106.     return ujwt, nil
  107. }

Notes

You can see the key (and any signing keys) of your operator using nsc list keys --show-seeds, you should use a ‘signing key’ to create the account JWTs (as singing keys can be revoked/rotated easily)

To delete accounts use the "$SYS.REQ.CLAIMS.DELETE" (see reference) and make sure to enable JWT deletion in your nats-server resolver (config allow_delete: true in the resolver stanza of the server configuration).

The system is just like any other account, the only difference is that it is listed as system account in the operator’s JWT (and the server config).