From: graillot <graillot@crans.org> To: galene@lists.galene.org Subject: [Galene] Re: Help with JWT Date: Wed, 03 Nov 2021 20:10:50 +0100 [thread overview] Message-ID: <fccbaf18c460690d00f036d8a319f535@crans.org> (raw) In-Reply-To: <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org> Hello Juliusz, > I'm currently working on third-party authentication for Galene using > JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), and I > need > some help from people familiar with JWTs. > > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? I think the username should be stored in sub and the group name should be stored in aud, it is a minor detail though and it should be fine either way. I have a preference for the naked group name rather than the full URL. > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say > "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps > "galene-permissions"? I think using a small name such as "perm" is also fine. I also think that this field should be optional and have a sane default (maybe it could be set in the configuration?). > 4. I'm planning to implement HS256 and ES256. We good? I think it's a good set of algorithms. > -- Juliusz In addition to that I think that the "nbf" and "exp" fields should also be checked by galene to ensure the validity of the token. Here is a small proof of concept which is a minimal web server that has a LDAP backend and generates a token (with no permission at the moment) : <https://gitlab.crans.org/esum/jwt-ldap>. -- Benjamin
prev parent reply other threads:[~2021-11-03 19:10 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-26 19:12 [Galene] " Juliusz Chroboczek 2021-10-26 19:47 ` [Galene] " Michael Ströder 2021-10-26 21:10 ` Juliusz Chroboczek [not found] ` <a4ed9394-4515-ca8a-929c-0b7175a58c10@crans.org> 2021-11-03 19:10 ` graillot [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=fccbaf18c460690d00f036d8a319f535@crans.org \ --to=graillot@crans.org \ --cc=galene@lists.galene.org \ --subject='[Galene] Re: Help with JWT' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox