I'm currently working on third-party authentication for Galene using JWTs ("OAuth2" for those of you who like fancy enterprise acronyms), and I need some help from people familiar with JWTs. 1. The username should be stored in "aud", right? 2. The group name should be stored in "sub", right? Should that be the naked group name, or the full URL ? 3. Where do I stash the permissions granted to the user? Should I use a "collision-resistant" claim name, say "https://galene.org/permissions", or is it enough to just use "permissions"? Perhaps "galene-permissions"? 4. I'm planning to implement HS256 and ES256. We good? -- Juliusz
On 10/26/21 21:12, Juliusz Chroboczek wrote: > I'm currently working on third-party authentication for Galene using JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the beginning (see https://openid.net/developers/specs/). It's kind of a well-defined OAuth2 profile for user data. Don't confuse it with "OpenID" 1.0 and 2.0 because OIDC is a completely new protocol. You should definitely test your stuff with a third-party OpenID Connect Provider (OP). Since you're a Go developer you might want to start with dex: https://github.com/dexidp/dex It is a very simple one without session management, so no SSO at all. You could also test with Keycloak which is a full-blown WebSSO server with built-in user database. But it's fairly easy to use a simple container setup. > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? Then you should look into what you receive in an ID token: https://openid.net/specs/openid-connect-core-1_0.html#IDToken I have no experience which Go library is currently recommended for OIDC. But I'd strongly recommend to use one. Not sure whether the lists here are kept up-to-date, I'd search somewhere else too: https://openid.net/developers/libraries/ > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps "galene-permissions"? Note that the attributes are delivered to your application. IMHO it's ok to use a short name. > 4. I'm planning to implement HS256 and ES256. We good? Abstract from algorithms as much as possible, make it configurable. Support PKCE. Again, use a library. Regarding authorization: If Galene groups could be queried via API you could delegate the authorization who can access which group to this API server by passing tokens to it... Ciao, Michael.
>> I'm currently working on third-party authentication for Galene using JWTs >> ("OAuth2" for those of you who like fancy enterprise acronyms), > Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the > beginning (see https://openid.net/developers/specs/). It's kind of > a well-defined OAuth2 profile for user data. Sorry, perhaps I should not have mentioned OAuth2. I'm implementing a simple and hopefully secure protocol based on JWT that will allow people to write their own authentication servers in 100 lines of Python. The hope is that this will avoid the need to do e.g. LDAP integration in Galene itself. I am not interested in implementing hundreds of pages of beauracratic rules unless they actually improve security. > Then you should look into what you receive in an ID token: > > https://openid.net/specs/openid-connect-core-1_0.html#IDToken This appears to mandate the use of OAuth2 client ids, which I'm not implementing unless someone explains to me what actual attacks they protect against. >> 4. I'm planning to implement HS256 and ES256. We good? > Abstract from algorithms as much as possible, make it > configurable. Support PKCE. Again, use a library. Certainly not -- that's how you become the victim of downgrade attacks. -- Juliusz
Hello Juliusz, > I'm currently working on third-party authentication for Galene using > JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), and I > need > some help from people familiar with JWTs. > > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? I think the username should be stored in sub and the group name should be stored in aud, it is a minor detail though and it should be fine either way. I have a preference for the naked group name rather than the full URL. > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say > "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps > "galene-permissions"? I think using a small name such as "perm" is also fine. I also think that this field should be optional and have a sane default (maybe it could be set in the configuration?). > 4. I'm planning to implement HS256 and ES256. We good? I think it's a good set of algorithms. > -- Juliusz In addition to that I think that the "nbf" and "exp" fields should also be checked by galene to ensure the validity of the token. Here is a small proof of concept which is a minimal web server that has a LDAP backend and generates a token (with no permission at the moment) : <https://gitlab.crans.org/esum/jwt-ldap>. -- Benjamin