API & Worker Authentication

[azriel46d]

Hi All,
What strategies are utilised in providing authentication to workers? I am seeing on Orkes, a key and a secret are provided to the worker to be able to authenticate, is this possible with Conductor without deviating from the fork?
The reason we are considering Conductor is with regards to Payment Orchestration within the banking industry, and, without an authentication layer, it would be very difficult to consider Conductor and its benefits for this.

I am aware that there is a fork which includes Oauth 2 , however, I'd rather stick to the original setup, since we do not have in-house Java expertise.

Also what are the possibilities that in production, workflows are set to read-only?

[v1r3n]

Hi @azriel46d at Orkes we use Key/Secret for the workers to generate a api token with a set expiry that is used to make all the calls.

All the workflows and tasks are protected using Rule Based Access Control and authorization layer which makes it possible to define groups/users with different level of authorization including read-only workflows. This is a layer on top of the OSS without changing the OSS layer or creating a fork of OSS. We do plan to push this to OSS as well in future.

[azriel46d]

Thanks for this. Is there any particular timeline to this being pushed to the OSS?
Although Orkes Key/Secret would solve the problem, unfortunately Orkes is not a setup which we can particularly adopt as all the installation requires to be in our own private cloud/on premise.
What we are looking at is adding a layer on top of Conductor. Since we are using Kubernetes we are looking at managing authentication via Istio thus providing a similar setup to the mentioned security. I'd love to hear how others are handling security concerns.

[rubendevgo]

Hi @azriel46d, In my company we are having the same problem, have you been able to deal with this?

[JCHacking]

Is there any news about this? I have the same requirement

[v1r3n]

Hi @JCHacking happy to chat on how we are doing this in Orkes.

[JCHacking]

Hi @v1r3n unfortunately in my company we want to host the entire platform ourselves, so it is a better option to use native Conductor than Orkes Conductor from what I understand.