Skip to content

Latest commit

 

History

History

auth_intro

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
auth_timeout.md
auth_timeout.md
 
 
nkey_auth.md
nkey_auth.md
 
 
tls_mutual_auth.md
tls_mutual_auth.md
 
 
tokens.md
tokens.md
 
 
username_password.md
username_password.md
 
 

README.md

Authentication

NATS authentication is multi-level. All of the security modes have an accounts level with users belonging to those accounts. The decentralized JWT Authentication also has an operator to which the accounts belong.

Each account has its own independent subject namespace: a message published on subject 'foo' in one account will not be seen by subscribers to 'foo' in other accounts. Accounts can however define exports and imports of subject(s) streams as well as expose request-reply services between accounts. Users within an account will share the same subject namespace but can be restricted to only be able to publish-subscribe to specific subjects.

Authentication Methods

The NATS server provides various ways of authenticating clients:

Authentication deals with allowing a NATS client to connect to the server. Except for JWT authentication, authentication and authorization are configured in the authorization section of the configuration. With JWT authentication the account and user information are stored in the resolver rather than in the server configuration file.

Authorization Map

The authorization block provides authentication configuration as well as authorization:

Property Description
token Specifies a global token that can be used to authenticate to the server (exclusive of user and password)
user Specifies a single global user name for clients to the server (exclusive of token)
password Specifies a single global password for clients to the server (exclusive of token)
users A list of user configuration maps. For multiple username and password credentials, specify a users list.
timeout Maximum number of seconds to wait for client authentication
auth_callout Enables the auth callout extension

User Configuration Map

A user configuration map specifies credentials and permissions options for a single user:

Property Description
user username for client authentication. (Can also be a user for tls authentication)
password password for the user entry
nkey public nkey identifying an user
permissions permissions map configuring subjects accessible to the user