Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: "Michael Ströder" <>
Subject: [Galene] Re: Help with JWT
Date: Tue, 26 Oct 2021 21:47:12 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 10/26/21 21:12, Juliusz Chroboczek wrote:
> I'm currently working on third-party authentication for Galene using JWTs
> ("OAuth2" for those of you who like fancy enterprise acronyms),

Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the 
beginning (see It's kind of a 
well-defined OAuth2 profile for user data. Don't confuse it with 
"OpenID" 1.0 and 2.0 because OIDC is a completely new protocol.

You should definitely test your stuff with a third-party OpenID Connect 
Provider (OP).

Since you're a Go developer you might want to start with dex:

It is a very simple one without session management, so no SSO at all.

You could also test with Keycloak which is a full-blown WebSSO server 
with built-in user database. But it's fairly easy to use a simple 
container setup.

 > 1. The username should be stored in "aud", right?
 > 2. The group name should be stored in "sub", right?  Should that be the
 >     naked group name, or the full URL ?

Then you should look into what you receive in an ID token:

I have no experience which Go library is currently recommended for OIDC. 
But I'd strongly recommend to use one.

Not sure whether the lists here are kept up-to-date, I'd search 
somewhere else too:

 > 3. Where do I stash the permissions granted to the user?  Should I use
 >     a "collision-resistant" claim name, say 
 >     or is it enough to just use "permissions"?  Perhaps 

Note that the attributes are delivered to your application. IMHO it's ok 
to use a short name.

> 4. I'm planning to implement HS256 and ES256.  We good?
Abstract from algorithms as much as possible, make it configurable. 
Support PKCE. Again, use a library.

Regarding authorization:

If Galene groups could be queried via API you could delegate the 
authorization who can access which group to this API server by passing 
tokens to it...

Ciao, Michael.

  reply	other threads:[~2021-10-26 19:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-26 19:12 [Galene] " Juliusz Chroboczek
2021-10-26 19:47 ` Michael Ströder [this message]
2021-10-26 21:10   ` [Galene] " Juliusz Chroboczek
     [not found] ` <>
2021-11-03 19:10   ` graillot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \
    --subject='[Galene] Re: Help with JWT' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox