Comments (9)
toupeira
commented on July 18, 2024
Hi there @gigr! Yes this change would be very welcome and your plan sounds about right, though I haven't yet looked into the exact requirements for the other algorithms. But we use json-jwt which supports most of them, so it really should just be a matter of figuring out how to configure the necessary keys/secrets.
We also need to make sure DiscoveryController#keys_response includes the required parameters for the JWKS, see RFC 7517.
Actually I just realized we're not using jws_public_key, since the public key can be extracted from the private one. So maybe it would be possible to replace the jws_* settings with a signing_key setting which would be responsible for returning an object that can be passed to JSON::JWK.new:
Doorkeeper::OpenidConnect.configure do
signing_key do
OpenSSL::PKey.read(File.read(ENV['JWS_PRIVATE_KEY'])
end
endAnd then maybe we can deduce the signing_algorithm value from the class and attributes? If not we could just add it as an explicit setting, as you suggest.
from doorkeeper-openid_connect.
gigr
commented on July 18, 2024
Awesome! The idea of adding a signing_key makes sense as well. I'll explore that as an option in the PR. I'll be cognizant of the fact that adding a new configuration option for configuring the same thing could break backwards compatibility as well.
I could see this being a few PRs as opposed to one larger one. Do you want me to break it up or would you rather a single, feature-complete PR?
from doorkeeper-openid_connect.
toupeira
commented on July 18, 2024
I think we should be fine if we keep jws_private_key, log a deprecation warning there, and delegate to the new signing_key. I deprecated jws_public_key now in 8494eed.
Feel free to submit smaller PRs if you want, but a single one is perfectly fine as well. I don't plan on making a lot of changes in the near future, so you should be safe from merge conflicts ;-)
from doorkeeper-openid_connect.
gigr
commented on July 18, 2024
Okay! I'll ping you when I have something to show. Thanks so much!
from doorkeeper-openid_connect.
travisofthenorth
commented on July 18, 2024
@gigr is this still on your radar? I would also love to get support for additional algorithms.
from doorkeeper-openid_connect.
gigr
commented on July 18, 2024
Not as much. We've found that using the public/private keypair is actually a better solution for our needs. RSA256 is fine as well.
from doorkeeper-openid_connect.
travisofthenorth
commented on July 18, 2024
@toupeira is this PR sufficient? #34
from doorkeeper-openid_connect.
travisofthenorth
commented on July 18, 2024
@toupeira any idea when you might publish a new version of the gem?
from doorkeeper-openid_connect.
toupeira
commented on July 18, 2024
@travisofthenorth very soon, waiting for #36 to get in as well.
from doorkeeper-openid_connect.
Related Issues (20)
- Overriding AuthorizationsController in Development Mode HOT 2
- Can `.well-known/openid-configuration` return an alternate uri for `jwks_uri` HOT 1
- fix issuer {} for `.well-known/openid-configuration` using blocks HOT 1
- Is it possible to configure and use Authentication Context Class References?
- `/.well-known/openid-configuration` crashes when `Doorkeeper.config.allow_token_introspection` is false HOT 1
- Shouldn't controllers inherit `Doorkeeper::ApplicationMetalController`? HOT 1
- Using `root_url` in `#webfinger_response` can violate specification
- `access_grant_class` is broken. HOT 7
- Possible to disable `client_secret_basic` for `token_endpoint_auth_methods_supported`?
- RP-initiated logout post_logout_redirect_uri is not validatable
- Broken with Doorkeeper v5.6.3
- uninitialized constant Doorkeeper::JWT::JWK in 1.8.4 HOT 8
- OpenID working with rails app HOT 5
- Support for sessions and session_state HOT 1
- Support multiple devise models
- `kid` value in headers in different format after upgrading from 1.8.3 to 1.8.5 HOT 2
- Missing v1.8.5 tag HOT 2
- NameError: uninitialized constant Doorkeeper::JWT::JWK HOT 6
- kid is different for different versions of doorkeeper-openid_connect HOT 1
- Certificate verify failed from SSL
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doorkeeper-openid_connect.