From: "Michael Ströder" <michael@stroeder.com>
To: galene@lists.galene.org
Subject: [Galene] Re: Help with JWT
Date: Tue, 26 Oct 2021 21:47:12 +0200 [thread overview]
Message-ID: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com> (raw)
In-Reply-To: <871r471tz1.wl-jch@irif.fr>
On 10/26/21 21:12, Juliusz Chroboczek wrote:
> I'm currently working on third-party authentication for Galene using JWTs
> ("OAuth2" for those of you who like fancy enterprise acronyms),
Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the
beginning (see https://openid.net/developers/specs/). It's kind of a
well-defined OAuth2 profile for user data. Don't confuse it with
"OpenID" 1.0 and 2.0 because OIDC is a completely new protocol.
You should definitely test your stuff with a third-party OpenID Connect
Provider (OP).
Since you're a Go developer you might want to start with dex:
https://github.com/dexidp/dex
It is a very simple one without session management, so no SSO at all.
You could also test with Keycloak which is a full-blown WebSSO server
with built-in user database. But it's fairly easy to use a simple
container setup.
> 1. The username should be stored in "aud", right?
>
> 2. The group name should be stored in "sub", right? Should that be the
> naked group name, or the full URL ?
Then you should look into what you receive in an ID token:
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
I have no experience which Go library is currently recommended for OIDC.
But I'd strongly recommend to use one.
Not sure whether the lists here are kept up-to-date, I'd search
somewhere else too:
https://openid.net/developers/libraries/
> 3. Where do I stash the permissions granted to the user? Should I use
> a "collision-resistant" claim name, say
"https://galene.org/permissions",
> or is it enough to just use "permissions"? Perhaps
"galene-permissions"?
Note that the attributes are delivered to your application. IMHO it's ok
to use a short name.
> 4. I'm planning to implement HS256 and ES256. We good?
Abstract from algorithms as much as possible, make it configurable.
Support PKCE. Again, use a library.
Regarding authorization:
If Galene groups could be queried via API you could delegate the
authorization who can access which group to this API server by passing
tokens to it...
Ciao, Michael.
next prev parent reply other threads:[~2021-10-26 19:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 19:12 [Galene] " Juliusz Chroboczek
2021-10-26 19:47 ` Michael Ströder [this message]
2021-10-26 21:10 ` [Galene] " Juliusz Chroboczek
[not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
2021-11-03 19:10 ` graillot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com \
--to=michael@stroeder.com \
--cc=galene@lists.galene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox