Authentication & Authorization Security Demo

Interactive demonstrations of authentication methods, RBAC authorization, and security best practices for the CNCF Volcano AgentCube project

Start: Checkpoint 1 View All Demos

Checkpoint 1: Ownership

Caller → Router session access control. Enforce: only session owner can invoke sandbox.

  • ✓ Session hijack prevention
  • ✓ Owner identity check
  • ✓ Caller→router→sandbox flow (simulated)
Explore Demo →

Checkpoint 2: Create Policy

Caller → Router session creation authorization: role checks + namespace quota enforcement.

  • ✓ Role in namespace
  • ✓ Session type checks
  • ✓ Quota / limits
Explore Demo →

Checkpoint 3: Router→WM

Service-to-service authentication & authorization. TokenReview + SubjectAccessReview or SPIFFE mTLS.

  • ✓ TokenReview simulation
  • ✓ SubjectAccessReview simulation
  • ✓ SPIFFE/SPIRE option
Explore Demo →

Cloud Identity

Cloud-native identity mapping: Keycloak (OIDC) for users, SPIFFE/SPIRE for service-to-service.

  • ✓ Keycloak JWT validation concepts
  • ✓ SPIFFE IDs + X.509 SVIDs
  • ✓ Checkpoint mapping
Explore Demo →

JWT Authentication

RS256 JWT signing with RSA-2048 keys, token validation, expiration handling, and algorithm confusion prevention.

  • ✓ RSA-2048 key pair generation
  • ✓ RS256 signing algorithm
  • ✓ Token structure visualization
  • ✓ Expiration & refresh tokens
Explore Demo →

K8s ServiceAccount

Kubernetes TokenReview API simulation, ServiceAccount token structure, and namespace extraction.

  • ✓ TokenReview API pattern
  • ✓ ServiceAccount token format
  • ✓ Namespace isolation
  • ✓ LRU caching simulation
Explore Demo →

RBAC Authorization

Role-Based Access Control with namespace-scoped permissions, policy evaluation, and visual decision trees.

  • ✓ Role & permission management
  • ✓ Namespace-scoped access
  • ✓ Policy evaluation engine
  • ✓ Visual authorization flow
Explore Demo →

Security Features

Rate limiting, token revocation, audit logging, and password hashing demonstrations.

  • ✓ Rate limiting (sliding window)
  • ✓ Token blacklist/revocation
  • ✓ Audit logging
  • ✓ Bcrypt password hashing
Explore Demo →

API Key Auth

Secure API key generation, bcrypt hashing, constant-time comparison, and key scoping.

  • ✓ Secure random key generation
  • ✓ Bcrypt hashing
  • ✓ Constant-time comparison
  • ✓ Key expiration & scoping
Explore Demo →

OAuth Flow (Legacy)

Legacy generic OAuth demo. For AgentCube-specific IdP integration, see “Cloud Identity”.

  • ✓ Authorization code flow
  • ✓ Token introspection
  • ✓ IdP simulation
  • ✓ Refresh token handling
Explore OAuth 2.0 Flow →

Security Best Practices

Authentication

  • ✓ Algorithm confusion attack prevention
  • ✓ Short-lived tokens (15min) with refresh tokens
  • ✓ Constant-time comparison for secrets
  • ✓ Secure token storage (recommended patterns)
  • ✓ Token revocation and blacklisting

Authorization

  • ✓ Fail-secure defaults (deny by default)
  • ✓ Namespace-scoped permissions
  • ✓ Principle of least privilege
  • ✓ Role-based access control (RBAC)
  • ✓ Audit logging for all auth decisions

Defense in Depth

  • ✓ Rate limiting (prevent brute force)
  • ✓ Input validation and sanitization
  • ✓ HTTPS-only communication
  • ✓ Security headers (CSP, HSTS)
  • ✓ Regular security audits

Kubernetes Integration

  • ✓ TokenReview API for validation
  • ✓ SubjectAccessReview for authorization
  • ✓ ServiceAccount token format
  • ✓ Namespace isolation
  • ✓ LRU caching for performance

AgentCube Context

This demo showcases authentication and authorization patterns relevant to the CNCF Volcano AgentCube project. The implementations demonstrate understanding of existing AgentCube security patterns while proposing enhancements for multi-method authentication.

JWT Pattern

Based on pkg/router/jwt.go - RSA-2048 RS256 signing

ServiceAccount Auth

Based on pkg/workloadmanager/auth.go - TokenReview API

Session Storage

Based on pkg/store/store_redis.go - Token blacklist pattern