* [Galene] Help with JWT
@ 2021-10-26 19:12 Juliusz Chroboczek
2021-10-26 19:47 ` [Galene] " Michael Ströder
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
0 siblings, 2 replies; 4+ messages in thread
From: Juliusz Chroboczek @ 2021-10-26 19:12 UTC (permalink / raw)
To: galene
I'm currently working on third-party authentication for Galene using JWTs
("OAuth2" for those of you who like fancy enterprise acronyms), and I need
some help from people familiar with JWTs.
1. The username should be stored in "aud", right?
2. The group name should be stored in "sub", right? Should that be the
naked group name, or the full URL ?
3. Where do I stash the permissions granted to the user? Should I use
a "collision-resistant" claim name, say "https://galene.org/permissions",
or is it enough to just use "permissions"? Perhaps "galene-permissions"?
4. I'm planning to implement HS256 and ES256. We good?
-- Juliusz
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Galene] Re: Help with JWT
2021-10-26 19:12 [Galene] Help with JWT Juliusz Chroboczek
@ 2021-10-26 19:47 ` Michael Ströder
2021-10-26 21:10 ` Juliusz Chroboczek
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
1 sibling, 1 reply; 4+ messages in thread
From: Michael Ströder @ 2021-10-26 19:47 UTC (permalink / raw)
To: galene
On 10/26/21 21:12, Juliusz Chroboczek wrote:
> I'm currently working on third-party authentication for Galene using JWTs
> ("OAuth2" for those of you who like fancy enterprise acronyms),
Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the
beginning (see https://openid.net/developers/specs/). It's kind of a
well-defined OAuth2 profile for user data. Don't confuse it with
"OpenID" 1.0 and 2.0 because OIDC is a completely new protocol.
You should definitely test your stuff with a third-party OpenID Connect
Provider (OP).
Since you're a Go developer you might want to start with dex:
https://github.com/dexidp/dex
It is a very simple one without session management, so no SSO at all.
You could also test with Keycloak which is a full-blown WebSSO server
with built-in user database. But it's fairly easy to use a simple
container setup.
> 1. The username should be stored in "aud", right?
>
> 2. The group name should be stored in "sub", right? Should that be the
> naked group name, or the full URL ?
Then you should look into what you receive in an ID token:
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
I have no experience which Go library is currently recommended for OIDC.
But I'd strongly recommend to use one.
Not sure whether the lists here are kept up-to-date, I'd search
somewhere else too:
https://openid.net/developers/libraries/
> 3. Where do I stash the permissions granted to the user? Should I use
> a "collision-resistant" claim name, say
"https://galene.org/permissions",
> or is it enough to just use "permissions"? Perhaps
"galene-permissions"?
Note that the attributes are delivered to your application. IMHO it's ok
to use a short name.
> 4. I'm planning to implement HS256 and ES256. We good?
Abstract from algorithms as much as possible, make it configurable.
Support PKCE. Again, use a library.
Regarding authorization:
If Galene groups could be queried via API you could delegate the
authorization who can access which group to this API server by passing
tokens to it...
Ciao, Michael.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Galene] Re: Help with JWT
2021-10-26 19:47 ` [Galene] " Michael Ströder
@ 2021-10-26 21:10 ` Juliusz Chroboczek
0 siblings, 0 replies; 4+ messages in thread
From: Juliusz Chroboczek @ 2021-10-26 21:10 UTC (permalink / raw)
To: Michael Ströder; +Cc: galene
>> I'm currently working on third-party authentication for Galene using JWTs
>> ("OAuth2" for those of you who like fancy enterprise acronyms),
> Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the
> beginning (see https://openid.net/developers/specs/). It's kind of
> a well-defined OAuth2 profile for user data.
Sorry, perhaps I should not have mentioned OAuth2. I'm implementing
a simple and hopefully secure protocol based on JWT that will allow people
to write their own authentication servers in 100 lines of Python. The
hope is that this will avoid the need to do e.g. LDAP integration in
Galene itself.
I am not interested in implementing hundreds of pages of beauracratic
rules unless they actually improve security.
> Then you should look into what you receive in an ID token:
>
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
This appears to mandate the use of OAuth2 client ids, which I'm not
implementing unless someone explains to me what actual attacks they
protect against.
>> 4. I'm planning to implement HS256 and ES256. We good?
> Abstract from algorithms as much as possible, make it
> configurable. Support PKCE. Again, use a library.
Certainly not -- that's how you become the victim of downgrade attacks.
-- Juliusz
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Galene] Re: Help with JWT
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
@ 2021-11-03 19:10 ` graillot
0 siblings, 0 replies; 4+ messages in thread
From: graillot @ 2021-11-03 19:10 UTC (permalink / raw)
To: galene
Hello Juliusz,
> I'm currently working on third-party authentication for Galene using
> JWTs
> ("OAuth2" for those of you who like fancy enterprise acronyms), and I
> need
> some help from people familiar with JWTs.
>
> 1. The username should be stored in "aud", right?
>
> 2. The group name should be stored in "sub", right? Should that be the
> naked group name, or the full URL ?
I think the username should be stored in sub and the group name should
be stored in aud, it is a minor detail though and it should be fine
either way.
I have a preference for the naked group name rather than the full URL.
> 3. Where do I stash the permissions granted to the user? Should I use
> a "collision-resistant" claim name, say
> "https://galene.org/permissions",
> or is it enough to just use "permissions"? Perhaps
> "galene-permissions"?
I think using a small name such as "perm" is also fine.
I also think that this field should be optional and have a sane default
(maybe it could be set in the configuration?).
> 4. I'm planning to implement HS256 and ES256. We good?
I think it's a good set of algorithms.
> -- Juliusz
In addition to that I think that the "nbf" and "exp" fields should also
be checked by galene to ensure the validity of the token.
Here is a small proof of concept which is a minimal web server that has
a LDAP backend and generates a token (with no permission at the moment)
: <https://gitlab.crans.org/esum/jwt-ldap>.
--
Benjamin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-03 19:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 19:12 [Galene] Help with JWT Juliusz Chroboczek
2021-10-26 19:47 ` [Galene] " Michael Ströder
2021-10-26 21:10 ` Juliusz Chroboczek
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
2021-11-03 19:10 ` graillot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox