From: "Michael Ströder" <michael@stroeder.com> To: galene@lists.galene.org Subject: [Galene] Re: Help with JWT Date: Tue, 26 Oct 2021 21:47:12 +0200 [thread overview] Message-ID: <defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com> (raw) In-Reply-To: <871r471tz1.wl-jch@irif.fr> On 10/26/21 21:12, Juliusz Chroboczek wrote: > I'm currently working on third-party authentication for Galene using JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the beginning (see https://openid.net/developers/specs/). It's kind of a well-defined OAuth2 profile for user data. Don't confuse it with "OpenID" 1.0 and 2.0 because OIDC is a completely new protocol. You should definitely test your stuff with a third-party OpenID Connect Provider (OP). Since you're a Go developer you might want to start with dex: https://github.com/dexidp/dex It is a very simple one without session management, so no SSO at all. You could also test with Keycloak which is a full-blown WebSSO server with built-in user database. But it's fairly easy to use a simple container setup. > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? Then you should look into what you receive in an ID token: https://openid.net/specs/openid-connect-core-1_0.html#IDToken I have no experience which Go library is currently recommended for OIDC. But I'd strongly recommend to use one. Not sure whether the lists here are kept up-to-date, I'd search somewhere else too: https://openid.net/developers/libraries/ > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps "galene-permissions"? Note that the attributes are delivered to your application. IMHO it's ok to use a short name. > 4. I'm planning to implement HS256 and ES256. We good? Abstract from algorithms as much as possible, make it configurable. Support PKCE. Again, use a library. Regarding authorization: If Galene groups could be queried via API you could delegate the authorization who can access which group to this API server by passing tokens to it... Ciao, Michael.
next prev parent reply other threads:[~2021-10-26 19:47 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-26 19:12 [Galene] " Juliusz Chroboczek 2021-10-26 19:47 ` Michael Ströder [this message] 2021-10-26 21:10 ` [Galene] " Juliusz Chroboczek [not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org> 2021-11-03 19:10 ` graillot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=defefdbd-2652-9ffd-11b9-4abb4a39a3a6@stroeder.com \ --to=michael@stroeder.com \ --cc=galene@lists.galene.org \ --subject='[Galene] Re: Help with JWT' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox