Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: "Michael Ströder" <michael@stroeder.com>
To: galene@lists.galene.org
Subject: [Galene] Re: Help with JWT
Date: Tue, 26 Oct 2021 21:47:12 +0200	[thread overview]
Message-ID: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com> (raw)
In-Reply-To: <871r471tz1.wl-jch@irif.fr>

On 10/26/21 21:12, Juliusz Chroboczek wrote:
> I'm currently working on third-party authentication for Galene using JWTs
> ("OAuth2" for those of you who like fancy enterprise acronyms),

Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the 
beginning (see https://openid.net/developers/specs/). It's kind of a 
well-defined OAuth2 profile for user data. Don't confuse it with 
"OpenID" 1.0 and 2.0 because OIDC is a completely new protocol.

You should definitely test your stuff with a third-party OpenID Connect 
Provider (OP).

Since you're a Go developer you might want to start with dex:

https://github.com/dexidp/dex

It is a very simple one without session management, so no SSO at all.

You could also test with Keycloak which is a full-blown WebSSO server 
with built-in user database. But it's fairly easy to use a simple 
container setup.

 > 1. The username should be stored in "aud", right?
 >
 > 2. The group name should be stored in "sub", right?  Should that be the
 >     naked group name, or the full URL ?

Then you should look into what you receive in an ID token:

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

I have no experience which Go library is currently recommended for OIDC. 
But I'd strongly recommend to use one.

Not sure whether the lists here are kept up-to-date, I'd search 
somewhere else too:

https://openid.net/developers/libraries/

 > 3. Where do I stash the permissions granted to the user?  Should I use
 >     a "collision-resistant" claim name, say 
"https://galene.org/permissions",
 >     or is it enough to just use "permissions"?  Perhaps 
"galene-permissions"?

Note that the attributes are delivered to your application. IMHO it's ok 
to use a short name.

> 4. I'm planning to implement HS256 and ES256.  We good?
Abstract from algorithms as much as possible, make it configurable. 
Support PKCE. Again, use a library.

Regarding authorization:

If Galene groups could be queried via API you could delegate the 
authorization who can access which group to this API server by passing 
tokens to it...

Ciao, Michael.

  reply	other threads:[~2021-10-26 19:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-26 19:12 [Galene] " Juliusz Chroboczek
2021-10-26 19:47 ` Michael Ströder [this message]
2021-10-26 21:10   ` [Galene] " Juliusz Chroboczek
     [not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org>
2021-11-03 19:10   ` graillot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com \
    --to=michael@stroeder.com \
    --cc=galene@lists.galene.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox