
Ask HN: How are you doing S2S authentication? - stevedis
Hi everyone,<p>How are you doing service-to-service authentication in your apps? I&#x27;m looking for data about what people are using to secure calls between their own components. OAuth 2.0, SSH keys, mutual TLS with PKI, cert thumbprints, passwords, others? Why? How do you handle operational issues like revocation, keyroll, key distribution, and so on? Are there any particular libraries or services you use?<p>I work on identity at Microsoft and want to make sure we&#x27;re thinking about what people really using.<p>Thanks!
======
bwackwat
I have been using symmetrically encrypted TCP servers and clients, which I
have been developing in a C++ library.

I believe the standard is basically TLS 1.2 asymmetric encryption and then
token-based authentication via username/password mechanisms. For example, most
databases are securely accessible via external services using TLS.

Key distribution in my case (symmetric encryption,) is trivial, but securing
or replacing those keys is non-trivial and I have yet to solve this problem.

Nonetheless, securing private or even public TLS keys is a seriously difficult
problem as well.

------
stevedis
I had some offline feedback on spiffe.io - would also love to hear of people
using this. Thanks!

