From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=crans.org (client-ip=185.230.79.39; helo=redisdead.crans.org; envelope-from=graillot@crans.org; receiver=) Received: from redisdead.crans.org (redisdead.crans.org [185.230.79.39]) by mail.toke.dk (Postfix) with ESMTPS id 7E83C8DD6ED for ; Wed, 3 Nov 2021 20:10:51 +0100 (CET) Received: from 172.16.10.107 (unknown [IPv6:fd00::10:0:ff:fe01:710]) by redisdead.crans.org (Postfix) with ESMTP id 7B1FF226 for ; Wed, 3 Nov 2021 20:10:50 +0100 (CET) MIME-Version: 1.0 Date: Wed, 03 Nov 2021 20:10:50 +0100 From: graillot To: galene@lists.galene.org In-Reply-To: References: <871r471tz1.wl-jch@irif.fr> User-Agent: Roundcube Webmail/1.4.11 Message-ID: X-Sender: graillot@crans.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: THCIWCHDFJGCVF6CF26SUTSMKEDBFX26 X-Message-ID-Hash: THCIWCHDFJGCVF6CF26SUTSMKEDBFX26 X-MailFrom: graillot@crans.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list Subject: [Galene] Re: Help with JWT List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello Juliusz, > I'm currently working on third-party authentication for Galene using > JWTs > ("OAuth2" for those of you who like fancy enterprise acronyms), and I > need > some help from people familiar with JWTs. > > 1. The username should be stored in "aud", right? > > 2. The group name should be stored in "sub", right? Should that be the > naked group name, or the full URL ? I think the username should be stored in sub and the group name should be stored in aud, it is a minor detail though and it should be fine either way. I have a preference for the naked group name rather than the full URL. > 3. Where do I stash the permissions granted to the user? Should I use > a "collision-resistant" claim name, say > "https://galene.org/permissions", > or is it enough to just use "permissions"? Perhaps > "galene-permissions"? I think using a small name such as "perm" is also fine. I also think that this field should be optional and have a sane default (maybe it could be set in the configuration?). > 4. I'm planning to implement HS256 and ES256. We good? I think it's a good set of algorithms. > -- Juliusz In addition to that I think that the "nbf" and "exp" fields should also be checked by galene to ensure the validity of the token. Here is a small proof of concept which is a minimal web server that has a LDAP backend and generates a token (with no permission at the moment) : . -- Benjamin