Comments (10)
danielchatfield
commented on April 28, 2024
I know you've closed this but thought I'd add my 2ยข.
Could you not support the use of an asymmetric signature scheme? You could have systems that need to check the validity of a token but shouldn't be trusted with the key that can sign them.
from fosite.
danielchatfield
commented on April 28, 2024
Example use case: you might want a high performance proxy to drop all requests with invalid tokens to mitigate a DDoS attack but would not want the secret to be on an internet facing box.
from fosite.
danielchatfield
commented on April 28, 2024
Just to be clear, I think HMAC-256 is perfectly fine but would like the interface to be provided in a way such that it would be easy to swap it for an asymmetric DSA.
from fosite.
aeneasr
commented on April 28, 2024
Definitely appreciate the cents :)
Yes, I think it is a good idea to support different token generation strategies. This is already possible, because Enigma is an interface and the authorize code plugin uses that interface, not a concrete implementation of it. You can switch the code generation strategy (and later access token / refresh token) easily by replacing the dependency in your fosite factory method.
It should however be noted that cryptographic token validation on the resource provider side does not equal token validation by lookup. OAuth2 was designed with revokable tokens in mind, which always requires a database lookup. It fits however very nicely in to your use case:
Example use case: you might want a high performance proxy to drop all requests with invalid tokens to mitigate a DDoS attack but would not want the secret to be on an internet facing box.
Thanks for your input, I really appreciate it!
from fosite.
aeneasr
commented on April 28, 2024
Check out the factory method of the authorize endpoint in the tests. I think this is what you asked for, isn't it? :)
from fosite.
danielchatfield
commented on April 28, 2024
Looks good to me :)
from fosite.
aeneasr
commented on April 28, 2024
Awesome, closing this then :)
from fosite.
aeneasr
commented on April 28, 2024
I just stumbled upon https://tools.ietf.org/html/rfc6819#section-5.1.4.1.5
5.1.4.1.5. Use of Asymmetric Cryptography
Usage of asymmetric cryptography will free the authorization server
of the obligation to manage credentials.
from fosite.
aeneasr
commented on April 28, 2024
JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or ...
Source
And JWS support assymetric algorithms like RS256.
@danielchatfield what do you think of using JWT instead of DSA for your use case?
Also take a look at #16
from fosite.
danielchatfield
commented on April 28, 2024
๐
from fosite.
Related Issues (20)
- Auth Req omitted response_mode does not validate the default response_mode against the ResponseModeClient
- Failing to fetch a PKCE request session fails requests even when PKCE is not enforced HOT 3
- redirect_uri matching does not follow RFC3986 HOT 2
- Changelog is out of sync
- During refresh token grant if token is invalid or expired return status code should be 400 HOT 3
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
- OIDC callback is always HTTPS, even when entered as HTTP HOT 1
- DefaultSigner should support key rotation
- Support per-client signing algorithm HOT 8
- Make prefix used in HMACSHAStrategy configurable
- openid session storage should be deleted when the authcode is exchanged HOT 9
- private_key_jwt assetion tokens can have unbounded expiration which can fill data store HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.