The Kaleido Blockchain Application Firewall (BAF) provides rich options for authentication and authorization of application connections to your blockchain resources. The service easily integrates with your existing OpenID provider and allows for low-level blockchain permissions to be embedded in user authentication tokens. BAF provides organizational admins with a single source of truth for end-user role based access control, and allows operators to easily add or rescind permissions within their existing user directories. Additionally, by supporting an OAuth-based authentication flow, the critical application credentials providing secure access to the Kaleido resource endpoints are never exposed.
The Blockchain Application Firewall can have a range of potential uses for your organization including:
The Blockchain Application Firewall can be configured to trust your IAM server, whether it's a private instance of KeyCloak, Otka, Microsoft Azure Active Directory, or any other system that issues tokens as signed JSON Web Tokens (JWT). This allows users to enjoy a standard sign-in procedure to blockchain applications such as the familiar username and password, multi-factor authentication, etc.
In your organization you may find you have keys for different teams within an organization, or for different types of operation, or maybe thousands of keys allocated to individual users of your application. This is why it’s important to restrict access to signing with these keys only to authorized connections, which the Blockchain Application Firewall allows your organization to do. The firewall analyzes each JSON/RPC request as it passes through, checking for attempts to sign transactions and authorizing them against a rule-set that specifies which keys are allowed to be used by that connection. This capability works in tandem with your application level security. You can configure static rules to configure access to keys, or dynamic rules based on issuing JWT tokens in your application tier or IAM system to restrict signing access.
In applications where users have their identity or key which signs transactions from their web or mobile device, they need to be able to submit pre-signed transactions to the blockchain node. The JSON/RPC interface of the node will end up needing to be exposed to the application for sending the transactions, which is where the Blockchain Application Firewall comes into play. The firewall provides an additional layer of security for these connections, on top of the default boundary security built into the Kaleido platform.