sso_proxy: document request signing #185
Comments
|
Note: The old method for request signing (based on a per-upstream shared secret) is documented here: Those docs should probably be deprecated or removed in favor of the new approach! |
Turns out the above generates a key in PKCS#1 format (I think?), but we need one in PKCS#8 format, which requires an extra conversion step. Luckily, this is still relatively straightforward to do in one pass: Many thanks to the wizards of Stack Overflow for explaining this. |
|
I found the documentation pretty sparse and needed a NodeJS application to verify the signatures. I created a library at: https://www.npmjs.com/package/signature-verifier-buzzfeed-sso Hopefully this helps someone. |
|
Is it possible to do request signing with not-RSA? |
Is your feature request related to a problem? Please describe.
The public key-based request signing functionality added to sso_proxy in #106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.
Describe the solution you'd like
New documentation for this functionality, ideally accompanied by a reference implementation for verifying a signed request.
To start, generating an appropriate keypair for sso_proxy to use for signing requests is as simple as
The text was updated successfully, but these errors were encountered: