From: Juliusz Chroboczek <jch@irif.fr> To: "Michael Ströder" <michael@stroeder.com> Cc: galene@lists.galene.org Subject: [Galene] Re: Help with JWT Date: Tue, 26 Oct 2021 23:10:55 +0200 [thread overview] Message-ID: <87wnlzze3k.wl-jch@irif.fr> (raw) In-Reply-To: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com> >> I'm currently working on third-party authentication for Galene using JWTs >> ("OAuth2" for those of you who like fancy enterprise acronyms), > Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the > beginning (see https://openid.net/developers/specs/). It's kind of > a well-defined OAuth2 profile for user data. Sorry, perhaps I should not have mentioned OAuth2. I'm implementing a simple and hopefully secure protocol based on JWT that will allow people to write their own authentication servers in 100 lines of Python. The hope is that this will avoid the need to do e.g. LDAP integration in Galene itself. I am not interested in implementing hundreds of pages of beauracratic rules unless they actually improve security. > Then you should look into what you receive in an ID token: > > https://openid.net/specs/openid-connect-core-1_0.html#IDToken This appears to mandate the use of OAuth2 client ids, which I'm not implementing unless someone explains to me what actual attacks they protect against. >> 4. I'm planning to implement HS256 and ES256. We good? > Abstract from algorithms as much as possible, make it > configurable. Support PKCE. Again, use a library. Certainly not -- that's how you become the victim of downgrade attacks. -- Juliusz
next prev parent reply other threads:[~2021-10-26 21:10 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-26 19:12 [Galene] " Juliusz Chroboczek 2021-10-26 19:47 ` [Galene] " Michael Ströder 2021-10-26 21:10 ` Juliusz Chroboczek [this message] [not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org> 2021-11-03 19:10 ` graillot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87wnlzze3k.wl-jch@irif.fr \ --to=jch@irif.fr \ --cc=galene@lists.galene.org \ --cc=michael@stroeder.com \ --subject='[Galene] Re: Help with JWT' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox