feat(oauth2.go): introduce JWT creation and validation for CLI sessions #1142
Conversation
ale8k
requested review from
alesstimec,
kian99,
babakks and
mina1460
as code owners
There was a problem hiding this comment.
looks good, but I am always worried with symmetric key encryption, I prefer ES256 or RSA, especially that brute forcing HS256 is possible, and HS256 can dangerous if not protected with TLS or if it can be accessed from the outside network (maybe by poor on-prem config).
| return nil, errors.E(op, err, "failed to build access token") | ||
| } | ||
|
|
||
| freshToken, err := jwt.Sign(token, jwt.WithKey(jwa.HS256, []byte(secretKey))) |
There was a problem hiding this comment.
are we positive on the use of HS256 (symmetric encryption)? why not RS256 or other asymmetric encryption
There was a problem hiding this comment.
the safer alternative doesn't look that much more complicated, but I am not an expert on any of the auth stuff
serialized, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, signingKey, jws.WithProtectedHeaders(hdrs)))
There was a problem hiding this comment.
Only we need to know the contents, asymmetric is purely if the receiving party needs to validate / read contents.
There was a problem hiding this comment.
Signing the token with RS256 or HS256 does not influence whether the token is readable though.
There was a problem hiding this comment.
Absolutely, but why would we have a pub/priv key that's only kept server side?
* feat(logindevice): implements LoginDevice Login device now stores the oauth response on the controllerroot such that it can be shared with the second step of the flow, GetDeviceAccessToken upon a successful login from a user. It is expected that the same websocket be used for both facade calls. This prevents the need to associate a LoginDevice call to a GetDeviceAccessToken. In addition to this, the library actually expects the oauth response from device to be sent to deviceaccesstoken. 6714 * PR comments * pr comments * Wait on ci so all containers healthy * Fix CI * fix * remove "finished" from dc * feat(oauth2.go): introduce JWT creation and validation for CLI sessions (#1142) * feat(oauth2.go): introduce JWT creation and validation for CLI sessions * feat(package doc for auth): adds a package doc for auth * feat(auth): update error code * PR comments * Plug oauth authenticator into jimm (#1144) * feat(oauth2.go): introduce JWT creation and validation for CLI sessions * feat(package doc for auth): adds a package doc for auth * feat(auth): update error code * feat(oauthauthenticator): plug in the authenticator params and create it on the JIMM service * PR comments * feat(pr fixes): pr fixes * fix * add ref * remove else * Connect directly to realm for tests * typo * Add auth to test utils * fix service tests * debug line to help fix tests in ci * PR comments * pr comments * Wait on ci so all containers healthy * Fix CI * fix * remove "finished" from dc * feat(remove req param for logindevice): remove param --------- Co-authored-by: Ales Stimec <ales.stimec@canonical.com>
Description
Introduces session based JWT tokens for use within the CLI device flow.
Engineering checklist
Check only items that apply
Test instructions
Notes for code reviewers