You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 19, 2019. It is now read-only.
Mozilla websites which consume the MozLDAP web services should do so in a secure manner.
They should be done of https
They should sign their requests
MozLDAP should verify request signatures, before servicing a request.
Each webapp would have to register the following:
(I need to play with the real APIs more, bear with me)
If the signature is valid, continue servicing the request. Otherwise respond with a 401 or other relevant HTTP code.
Benefits - Operations can lock down who can use mozLDAP. They can change secret AppIDs and Secret keys as needed.
(Updated: removed my original proposal as HAWK is a better idea)
The text was updated successfully, but these errors were encountered: