Skip to content

Added language requiring authorization of stream management API #173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 10, 2024
Merged

Added language requiring authorization of stream management API #173

merged 6 commits into from
Jun 10, 2024

Conversation

@FragLegs
Copy link
Contributor

@FragLegs FragLegs commented May 23, 2024
edited
Loading

To address the attacks proposed in #161 and #160, this PR adda a paragraph indicating that all Stream Management API endpoints must use authorization that associates stream IDs with a specific Receiver, unless some other method of trust is established.

@FragLegs FragLegs requested a review from a team as a code owner May 23, 2024 16:24
appsdesh
appsdesh reviewed May 23, 2024
View reviewed changes
This was referenced May 24, 2024
Closed
Merged
This was linked to issues May 24, 2024
Stream Audience Mix-Up #161
Closed
Attacker Stream Subject Insertion #160
Closed
@tulshi tulshi requested a review from timcappalli May 24, 2024 20:41
tulshi
tulshi reviewed May 24, 2024
View reviewed changes
timcappalli
timcappalli approved these changes May 26, 2024
View reviewed changes
@FragLegs
Copy link
Contributor Author

FragLegs commented Jun 4, 2024

Update RFC2818 and RFC7235 to RFC9110

FragLegs added 3 commits June 6, 2024 16:28
@FragLegs
Update RFC references
9f942f0
@FragLegs
Make it clear that HTTPS is required for the jwks_uri and all stream …
78eb6bb 
…management API endpoints, regardless of whether there is an alternative way of securing the communication. Add language saying the the Transmitter should also tie the 'aud' value to the auth from the Receiver.
@FragLegs
Add RFC9110 to references
b7b8e8a
@tulshi tulshi merged commit d2607b9 into main Jun 10, 2024
@tulshi tulshi deleted the 161-require-auth branch June 10, 2024 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@appsdesh appsdesh appsdesh left review comments

@timcappalli timcappalli timcappalli approved these changes

@tulshi tulshi tulshi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Stream Audience Mix-Up Attacker Stream Subject Insertion

5 participants

@FragLegs @appsdesh @timcappalli @tulshi