New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enigma: How to sign and verify tokens or let's use HMAC-SHA256 #11
Comments
I know you've closed this but thought I'd add my 2¢. Could you not support the use of an asymmetric signature scheme? You could have systems that need to check the validity of a token but shouldn't be trusted with the key that can sign them. |
Example use case: you might want a high performance proxy to drop all requests with invalid tokens to mitigate a DDoS attack but would not want the secret to be on an internet facing box. |
Just to be clear, I think HMAC-256 is perfectly fine but would like the interface to be provided in a way such that it would be easy to swap it for an asymmetric DSA. |
Definitely appreciate the cents :) Yes, I think it is a good idea to support different token generation strategies. This is already possible, because Enigma is an interface and the authorize code plugin uses that interface, not a concrete implementation of it. You can switch the code generation strategy (and later access token / refresh token) easily by replacing the dependency in your fosite factory method. It should however be noted that cryptographic token validation on the resource provider side does not equal token validation by lookup. OAuth2 was designed with revokable tokens in mind, which always requires a database lookup. It fits however very nicely in to your use case:
Thanks for your input, I really appreciate it! |
Check out the factory method of the authorize endpoint in the tests. I think this is what you asked for, isn't it? :) |
Looks good to me :) |
Awesome, closing this then :) |
I just stumbled upon https://tools.ietf.org/html/rfc6819#section-5.1.4.1.5
|
And JWS support assymetric algorithms like RS256. @danielchatfield what do you think of using JWT instead of DSA for your use case? Also take a look at #16 |
👍 |
fix: vulnerable dependencies
Right now, tokens are going to be saved as a hashed version. I think there should be one more step.
Issuance:
Validation:
The secret encryption key should in fact be {global-secret}-{app-secret} making client validation easier and automaticall revoking tokens when secrets are changed.
This has upsides:
It should be noted that the secret encryption key is replaceable. Clients are expected to handle revoked tokens if they implement OAuth2. Replacing the current secret encryption key with a new one would render all previously generated tokens to become invalid. Clients should handle this by re-authorizing.
The more I think about this, the more I like this idea.
The text was updated successfully, but these errors were encountered: