From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 58FCE8D837F for ; Tue, 26 Oct 2021 23:10:58 +0200 (CEST) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 19QLAwEs008915; Tue, 26 Oct 2021 23:10:58 +0200 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 44B3010796C; Tue, 26 Oct 2021 23:10:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 8ZEg6XOeywqK; Tue, 26 Oct 2021 23:10:56 +0200 (CEST) Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id F33D110796A; Tue, 26 Oct 2021 23:10:55 +0200 (CEST) Date: Tue, 26 Oct 2021 23:10:55 +0200 Message-ID: <87wnlzze3k.wl-jch@irif.fr> From: Juliusz Chroboczek To: Michael =?ISO-8859-1?Q?Str=F6der?= In-Reply-To: References: <871r471tz1.wl-jch@irif.fr> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Tue, 26 Oct 2021 23:10:58 +0200 (CEST) X-Miltered: at korolev with ID 61786EE2.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 61786EE2.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 61786EE2.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: O5M5ZWQK2FJT7EL7POMVTUDBBXXXNYZE X-Message-ID-Hash: O5M5ZWQK2FJT7EL7POMVTUDBBXXXNYZE X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.4 Precedence: list Subject: [Galene] Re: Help with JWT List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: >> I'm currently working on third-party authentication for Galene using JWTs >> ("OAuth2" for those of you who like fancy enterprise acronyms), > Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the > beginning (see https://openid.net/developers/specs/). It's kind of > a well-defined OAuth2 profile for user data. Sorry, perhaps I should not have mentioned OAuth2. I'm implementing a simple and hopefully secure protocol based on JWT that will allow people to write their own authentication servers in 100 lines of Python. The hope is that this will avoid the need to do e.g. LDAP integration in Galene itself. I am not interested in implementing hundreds of pages of beauracratic rules unless they actually improve security. > Then you should look into what you receive in an ID token: > > https://openid.net/specs/openid-connect-core-1_0.html#IDToken This appears to mandate the use of OAuth2 client ids, which I'm not implementing unless someone explains to me what actual attacks they protect against. >> 4. I'm planning to implement HS256 and ES256. We good? > Abstract from algorithms as much as possible, make it > configurable. Support PKCE. Again, use a library. Certainly not -- that's how you become the victim of downgrade attacks. -- Juliusz