[PARTNER-275] Add Authorization header for SEP-10 GET /Auth#1470
Merged
[PARTNER-275] Add Authorization header for SEP-10 GET /Auth#1470
Conversation
ifropc
force-pushed
the
partner-275-auth-header
branch
from
eaa9487 to
4f37f5a
Compare
JakeUrban
reviewed
Mar 21, 2024
Contributor
JakeUrban
left a comment
JakeUrban
left a comment
There was a problem hiding this comment.
This looks like its 90% there! I added some clarifying questions. Also don't forget to update the version and updated-at field.
JakeUrban
reviewed
Mar 26, 2024
Contributor
JakeUrban
left a comment
JakeUrban
left a comment
There was a problem hiding this comment.
Sorry for the repeated delay, a couple more questions / ideas
CassioMG
reviewed
Mar 28, 2024
CassioMG
reviewed
Mar 28, 2024
CassioMG
reviewed
Mar 28, 2024
JakeUrban
previously approved these changes
Mar 28, 2024
| Client must then correctly sign the payload with appropriate Stellar private key. To choose the private key client | ||
| application should follow this steps: | ||
|
|
||
| - If `client_domain` is specified, the token must be signed with the _Client Domain Account_ (i.e. [SEP-1] defined |
Contributor
There was a problem hiding this comment.
Suggested change
| - If `client_domain` is specified, the token must be signed with the _Client Domain Account_ (i.e. [SEP-1] defined | |
| - If `client_domain` is specified, the token must be signed with the **Client Domain Account** (i.e. [SEP-1] defined |
JakeUrban
approved these changes
Mar 28, 2024
ifropc
referenced
this pull request
in stellar/anchor-platform
Apr 15, 2024
…1303) ### Description - Implementation of the protocol change [https://github.com/stellar/stellar-protocol/pull/1470](1470: Add Authorization header for SEP-10 GET /Auth) - Migration to the latest version of JJWT library - Improvement of working with secrets in the code - Improved JWT secret validation ### Context - Protocol change - Old JJWT library doesn't have a good support for the algorithm used by the protocol change - Refactored how we work with JWT secrets in the code: use SecretKey instead of Sting - Previously, weak keys were not validated properly and was allowed to use, even though it's against the guidelines. Now, this keys are properly validated using underlying JJWT library. ### Testing - `./gradlew test` - Add tests for SEP-10 auth header ### Documentation N/A ### Known limitations N/A
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the protocol change, an optional Authorization header was added for
GET <WEB_AUTH_ENDPOINT>endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request.For custodial applications, this is a primary Application key, provided in
accountfield.For non-custodial, this will be the
SIGNING_KEYfrom toml file hosted in theclient_domainThe server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.