From: Juliusz Chroboczek <jch@irif.fr>
To: "Michael Ströder" <michael@stroeder.com>
Cc: galene@lists.galene.org
Subject: [Galene] Re: Help with JWT
Date: Tue, 26 Oct 2021 23:10:55 +0200 [thread overview]
Message-ID: <87wnlzze3k.wl-jch@irif.fr> (raw)
In-Reply-To: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com>
>> I'm currently working on third-party authentication for Galene using JWTs
>> ("OAuth2" for those of you who like fancy enterprise acronyms),
> Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the
> beginning (see https://openid.net/developers/specs/). It's kind of
> a well-defined OAuth2 profile for user data.
Sorry, perhaps I should not have mentioned OAuth2. I'm implementing
a simple and hopefully secure protocol based on JWT that will allow people
to write their own authentication servers in 100 lines of Python. The
hope is that this will avoid the need to do e.g. LDAP integration in
Galene itself.
I am not interested in implementing hundreds of pages of beauracratic
rules unless they actually improve security.
> Then you should look into what you receive in an ID token:
>
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
This appears to mandate the use of OAuth2 client ids, which I'm not
implementing unless someone explains to me what actual attacks they
protect against.
>> 4. I'm planning to implement HS256 and ES256. We good?
> Abstract from algorithms as much as possible, make it
> configurable. Support PKCE. Again, use a library.
Certainly not -- that's how you become the victim of downgrade attacks.
-- Juliusz
next prev parent reply other threads:[~2021-10-26 21:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 19:12 [Galene] " Juliusz Chroboczek
2021-10-26 19:47 ` [Galene] " Michael Ströder
2021-10-26 21:10 ` Juliusz Chroboczek [this message]
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
2021-11-03 19:10 ` graillot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnlzze3k.wl-jch@irif.fr \
--to=jch@irif.fr \
--cc=galene@lists.galene.org \
--cc=michael@stroeder.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox