diff --git a/docs/configure-and-manage/configure/qlight-node.md b/docs/configure-and-manage/configure/qlight-node.md index e6573000..132eea08 100644 --- a/docs/configure-and-manage/configure/qlight-node.md +++ b/docs/configure-and-manage/configure/qlight-node.md @@ -52,3 +52,64 @@ Specify a refresh mechanism for the token using [`--qlight.client.token.manageme You can add an encryption layer on the qlight client-server communication. Configure the encryption layer using the [`qlight.tls.*`](../../reference/cli-syntax.md#qlighttls) command line options. + +## Configure the `client-security-plugin` mode + +In this mode, the configured Go-Quorum plugin is called when the token expiry is reached. +You can configure and even develop your own implementation of this plugin. + +The plugins are in the ConsenSys repository and are downloaded automatically to the plugins directory. + +You can provide your own plugin implementation. Refer to the [use of plugin with the hello world tutorial](../../tutorials/use-plugin.md) and follow the same steps with the following projects: + +- [ProtoBuf model](https://github.com/ConsenSys/quorum-plugin-definitions/blob/master/qlight-token-manager.proto) - GoQuorum plugins are based on the Hashicorp plugin model, this is a gRPC model for the communication interaction. + +- [QLight Token Manager Plugin SDK in Go](https://github.com/ConsenSys/quorum-qlight-token-manager-plugin-sdk-go) - The model is pre-compiled as an SDK you can refer to, so you can develop your own implementation. + +- [GoQuorum Qlight Token Manager Plugin](https://github.com/ConsenSys/quorum-plugin-qlight-token-manager) - The Go-Quorum implementation using the Ory Hydra OAuth server. + +You can refer to the [QLight Client with Token Manager Plugin](https://github.com/baptiste-b-pegasys/quorum-examples/pull/1/files#diff-f1ae6238d92e0b4f764eede62765302b1cfffee7e9a971a48ee97354b57b9686) Docker-compose file in the GoQuorum examples. + +### Steps + +1. Configure the plugins (`plugins/geth-plugin-settings.json`) + + ```json + { + "baseDir": "./plugins", + "providers": { + "qlighttokenmanager": { + "name":"quorum-plugin-qlight-token-manager", + "version":"1.0.0", + "config": "file://./plugins/qlight-token-manager-plugin-config.json" + }, + "helloworld": { + "name":"quorum-plugin-hello-world", + "version":"1.0.0", + "config": "file://./plugins/hello-world-plugin-config.json" + } + } + } + ``` + +2. Configure the qlight token manager (`plugins/qlight-token-manager-plugin-config.json`) + + ```json + { + "url":"https://multi-tenancy-oauth2-server:4444/oauth2/token", + "method":"POST", + "parameters":{ + "grant_type":"client_credentials", + "client_id":"${PSI}", + "client_secret":"foofoo", + "scope":"rpc://eth_* p2p://qlight rpc://admin_* rpc://personal_* rpc://quorumExtension_* rpc://rpc_modules psi://${PSI}?self.eoa=0x0&node.eoa=0x0", + "audience":"Node1" + } + } + ``` + +3. Enable the plugins configuration in the geth arguments + + Add the flag `--plugins file://./plugins/geth-plugin-settings.json --plugins.skipverify` so GoQuorum enables them. + + (`skipverify` will skip the verification of the plugins integrity)