[Galene] Re: Help with JWT - Juliusz Chroboczek

Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed

From: Juliusz Chroboczek <jch@irif.fr>
To: "Michael Ströder" <michael@stroeder.com>
Cc: galene@lists.galene.org
Subject: [Galene] Re: Help with JWT
Date: Tue, 26 Oct 2021 23:10:55 +0200	[thread overview]
Message-ID: <87wnlzze3k.wl-jch@irif.fr> (raw)
In-Reply-To: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com>

>> I'm currently working on third-party authentication for Galene using JWTs
>> ("OAuth2" for those of you who like fancy enterprise acronyms),

> Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the
> beginning (see https://openid.net/developers/specs/). It's kind of
> a well-defined OAuth2 profile for user data.

Sorry, perhaps I should not have mentioned OAuth2.  I'm implementing
a simple and hopefully secure protocol based on JWT that will allow people
to write their own authentication servers in 100 lines of Python.  The
hope is that this will avoid the need to do e.g. LDAP integration in
Galene itself.

I am not interested in implementing hundreds of pages of beauracratic
rules unless they actually improve security.

> Then you should look into what you receive in an ID token:
> 
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken

This appears to mandate the use of OAuth2 client ids, which I'm not
implementing unless someone explains to me what actual attacks they
protect against.

>> 4. I'm planning to implement HS256 and ES256.  We good?

> Abstract from algorithms as much as possible, make it
> configurable. Support PKCE. Again, use a library.

Certainly not -- that's how you become the victim of downgrade attacks.

-- Juliusz

next prev parent reply	other threads:[~2021-10-26 21:10 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-26 19:12 [Galene] " Juliusz Chroboczek
2021-10-26 19:47 ` [Galene] " Michael Ströder
2021-10-26 21:10   ` Juliusz Chroboczek [this message]
     [not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
2021-11-03 19:10   ` graillot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wnlzze3k.wl-jch@irif.fr \
    --to=jch@irif.fr \
    --cc=galene@lists.galene.org \
    --cc=michael@stroeder.com \
    --subject='[Galene] Re: Help with JWT' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox