Skip to content

httpsig and short-lived bearer tokens as alternative to sharedSecret #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
michielbdejong merged 8 commits into from
Sep 3, 2024
Merged

httpsig and short-lived bearer tokens as alternative to sharedSecret #98

michielbdejong merged 8 commits into from
Sep 3, 2024

Conversation

@michielbdejong
Copy link
Contributor

@michielbdejong michielbdejong commented Aug 26, 2024

This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound

@michielbdejong
OAuth code as alternative to sharedSecret
8ee7009 
This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound
@michielbdejong
whitespace
11160b1
@michielbdejong
typo
edde0b9
@michielbdejong michielbdejong mentioned this pull request Aug 26, 2024
Closed
@michielbdejong michielbdejong marked this pull request as draft August 27, 2024 07:19
@michielbdejong
Copy link
Contributor Author

michielbdejong commented Aug 27, 2024

I think we should use a GNAP grant request instead. Will update.

@michielbdejong
GNAP instead of OAuth 2.0 Authorization Code flow
36a3e15 
GNAP is more appropriate here because it makes way less assumptions about the interaction (in particular it doesn't assume the use of browser redirects)
@michielbdejong
camel case
82db97d
@michielbdejong michielbdejong changed the title OAuth code as alternative to sharedSecret nonce and gnapAuthorizationServer as alternative to sharedSecret Aug 27, 2024
@michielbdejong michielbdejong marked this pull request as ready for review August 27, 2024 07:27
@michielbdejong michielbdejong mentioned this pull request Aug 27, 2024
Merged
@glpatcern glpatcern self-requested a review August 27, 2024 12:26
glpatcern
glpatcern approved these changes Aug 27, 2024
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Looking forward to see how this section about the access procedure can be made more "standardized" compared to the current free-form text!

@michielbdejong
Copy link
Contributor Author

michielbdejong commented Aug 27, 2024

We can reuse the format of the WWW-Authenticate header defined for GNAP in section 9.1 of https://datatracker.ietf.org/doc/draft-ietf-gnap-core-protocol/

so then it would be as_uri instead of gnapAuthorizationServer. I'll work on this some more.

@michielbdejong michielbdejong marked this pull request as draft August 27, 2024 14:53
@glpatcern glpatcern self-requested a review August 30, 2024 06:12
@michielbdejong michielbdejong changed the title nonce and gnapAuthorizationServer as alternative to sharedSecret httpsig and short-lived bearer tokens as alternative to sharedSecret Sep 3, 2024
@michielbdejong michielbdejong marked this pull request as ready for review September 3, 2024 08:55
@michielbdejong
Copy link
Contributor Author

michielbdejong commented Sep 3, 2024

See cs3org/ocm-test-suite#88 (comment) for a demo of how this would work

@michielbdejong michielbdejong mentioned this pull request Sep 3, 2024
Closed
glpatcern
glpatcern reviewed Sep 3, 2024
View reviewed changes
@michielbdejong michielbdejong merged commit 6a15d07 into develop Sep 3, 2024
@glpatcern
Copy link
Member

glpatcern commented Sep 3, 2024
edited
Loading

Nice to see you already have your ocm-stub doing this. Would you add protocol.webdav.code in the spec.yaml as another optional parameter?

michielbdejong added a commit that referenced this pull request Sep 4, 2024
@michielbdejong
httpsig and short-lived bearer tokens as alternative to sharedSecret (#…
4440ce9 
…98)

* OAuth code as alternative to sharedSecret

This would allow for some more modern security best practices like pre-registering clients and making the access token short-lived and client-bound

* whitespace

* typo

* GNAP instead of OAuth 2.0 Authorization Code flow

GNAP is more appropriate here because it makes way less assumptions about the interaction (in particular it doesn't assume the use of browser redirects)

* camel case

* simplify from GNAP to httpsig+bearer

* clarify language

* `<OCM endpoint>/token`
@michielbdejong michielbdejong mentioned this pull request Sep 4, 2024
Closed
@glpatcern glpatcern deleted the oauth-code branch August 7, 2025 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glpatcern glpatcern glpatcern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michielbdejong @glpatcern