httpsig and short-lived bearer tokens as alternative to sharedSecret #98
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound
Closed
|
I think we should use a GNAP grant request instead. Will update. |
GNAP is more appropriate here because it makes way less assumptions about the interaction (in particular it doesn't assume the use of browser redirects)
michielbdejong
changed the title
Merged
glpatcern
approved these changes
Aug 27, 2024
|
We can reuse the format of the WWW-Authenticate header defined for GNAP in section 9.1 of https://datatracker.ietf.org/doc/draft-ietf-gnap-core-protocol/ so then it would be |
michielbdejong
changed the title
|
See cs3org/ocm-test-suite#88 (comment) for a demo of how this would work |
glpatcern
reviewed
Sep 3, 2024
|
Nice to see you already have your ocm-stub doing this. Would you add |
michielbdejong
added a commit
that referenced
this pull request
Sep 4, 2024
…98) * OAuth code as alternative to sharedSecret This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound * whitespace * typo * GNAP instead of OAuth 2.0 Authorization Code flow GNAP is more appropriate here because it makes way less assumptions about the interaction (in particular it doesn't assume the use of browser redirects) * camel case * simplify from GNAP to httpsig+bearer * clarify language * `<OCM endpoint>/token`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound