From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id 28BE78D82DF for ; Tue, 26 Oct 2021 21:47:15 +0200 (CEST) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=xQZltfCl DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1635277632; bh=jhrM7RRv7RWEhMCkM2svwtLN7hGN5R/mwPZGRYfgh38=; h=Date:Subject:To:References:From:In-Reply-To:From; b=xQZltfClOImwW4M34plfl/4A2qVB7JUtZlxSe3Xf/aDx5UHret7fjvqfBoD3jrX1O T1I8/wvb9VURh4YlFkwIlmgLWakgTu5r9MOmg+6hCeigZQHYnTLMplOiyv8Xkx55KY GlBLXh/1kgIeMPAA2n2jOS5Csh9CAoLOvh0ctpcQ6j6F7FcTV11Z/9ATLY2dDGOr1z 20hJeF4mFCpy+pIcMW34MdoSKMmudhZWXW87aARzsEnXip/1FE4g4ITvhqr Message-ID: Date: Tue, 26 Oct 2021 21:47:12 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Content-Language: en-US To: galene@lists.galene.org References: <871r471tz1.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= In-Reply-To: <871r471tz1.wl-jch@irif.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: ODDNEQ2FEHHG7JAZI76HZOP4UKBTMOWD X-Message-ID-Hash: ODDNEQ2FEHHG7JAZI76HZOP4UKBTMOWD X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list Subject: [Galene] Re: Help with JWT List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 10/26/21 21:12, Juliusz Chroboczek wrote: > I'm currently working on third-party authentication for Galene using JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), Better stick to "OpenID Connect" (short "OIC" or "OIDC") right from the beginning (see https://openid.net/developers/specs/). It's kind of a well-defined OAuth2 profile for user data. Don't confuse it with "OpenID" 1.0 and 2.0 because OIDC is a completely new protocol. You should definitely test your stuff with a third-party OpenID Connect Provider (OP). Since you're a Go developer you might want to start with dex: https://github.com/dexidp/dex It is a very simple one without session management, so no SSO at all. You could also test with Keycloak which is a full-blown WebSSO server with built-in user database. But it's fairly easy to use a simple container setup. > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? Then you should look into what you receive in an ID token: https://openid.net/specs/openid-connect-core-1_0.html#IDToken I have no experience which Go library is currently recommended for OIDC. But I'd strongly recommend to use one. Not sure whether the lists here are kept up-to-date, I'd search somewhere else too: https://openid.net/developers/libraries/ > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps "galene-permissions"? Note that the attributes are delivered to your application. IMHO it's ok to use a short name. > 4. I'm planning to implement HS256 and ES256. We good? Abstract from algorithms as much as possible, make it configurable. Support PKCE. Again, use a library. Regarding authorization: If Galene groups could be queried via API you could delegate the authorization who can access which group to this API server by passing tokens to it... Ciao, Michael.