Issue with Bearer Token propogation in Scytale

[chaitanyasingla-dt]

When a bearer token is used to call tr1d1um APIs, the token is successfully propagated to scytale. However, scytale does not further propagate the bearer token to Talaria.

cc: @Sachin4403 @schmidtw

[Sachin4403]

Scytale is using always basic auth(pre-configured in configuration) to communicate with Talaria and here is the code for the same.

scytale/primaryHandler.go

Lines 377 to 381 in c8233d4

	if len(cfg.Authorization) > 0 {
	options = append(
	options,
	fanout.WithClientBefore(
	gokithttp.SetRequestHeader("Authorization", "Basic "+cfg.Authorization),

Since Scytale APIs are being called from Tr1d1um and Scytale can accept the Basic and Bearer auth so we Scytale must use the same authorisation type while sending request to downstream which was initially accepted by scytale.

[denopink]

Hello 🙂

Talaria should only be accessed by internal servers like scytale so basic auth would suffice.
Also, we don't want to propagate the token to talaria from scytale because talaria would need its own set of permissions.

[schmidtw]

While that was the case, we would like to support JWTs going from Scytale to Talaria. That improves the security position because the JWT can be rotated more easily and has better controls than basic auth.