-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 Provider実装 #8262
Comments
実装を試みたけど学習コスト高くて挫折 |
OAuth2 Provider という認識であっていますか。 |
あ、なんかこれめっちゃ楽そう |
出来ればIndieAuthも考慮したいです (OAuth 2.0の個人サーバー向けの改良版) Edit: でもいいライブラリがないかも |
テスト込みで実装された方に報奨金を進呈 |
OAuth実装に GitLabの実装: https://gitlab.com/.well-known/oauth-authorization-server (https://gitlab.com/gitlab-org/gitlab/-/issues/233956) |
神じゃん |
やるか(しゅいろさん風) |
現在の計画はこうです
Q: 登録しなくてもいいわけ?
|
oauth2orizeに移したいです
|
oauth2orizeは最終コミットが2021年なのとJavaScriptで書かれているのが気になりはした |
これちょっと気になりますね(でも死んでいるわけではないのでまあいいかと) https://github.com/node-oauth/node-oauth2-server もありますが、かなり生まれたてですし必要な機能があるのかも怪しいです (node-oauth/node-oauth2-server#180) 一旦使えるoauth2orizeを使って、どうしてもだめならまた移すことにしようと思います |
Are you sure about this? I do not think this is the correct understanding of RFC 6749 § 2.1. The distinction of whether a According to the RFC, Client secrets cannot be issued to clients which cannot keep it a secret (public client). Example: You write a mobile app for a website and need to register the client in advance on a web form. This means the client secret would need to be hard coded into the app. If you download the app you can find the string containing the secret inside it. This obviously means it is not actually a "secret" since anyone can find it out by just downloading the application. In my opinion, all Misskey clients would be confidential clients because Misskey has dynamic client registration. If you want to read my opinion see also https://qwertqwefsday.eu/foundkey/oauth2.html#client-registration. |
Oh sorry, my previous description was indeed incorrect. Thank you for catching that. That said, per the RFC:
Obviously "clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application" is the purpose here. Even if the client info is not hardcoded to the app, one must not assume anything sent to the random user device will be confidential. On the contrary:
That basically means some server-side clients, perhaps something like https://elk.zone, on which users won't get the credentials on their device. So I think my point still holds. My current plan for the initial implementation is to restrict things to public clients and defer anything else, to reduce initial complexity. The only accepted grant type will be |
最初の実装ではあまり気にすることではないかもしれませんが… 分散SNSという環境上、SPの管理者が気が付かないうちにIdPが運営を終了することがあり得る。その場合、攻撃者は期限が切れたドメインを取得して、そのドメイン上で自分の管理下にある新しいIdPを運営することができる。すると、攻撃者は旧IdPのアカウントに紐づいているSPのアカウント全てにログインすることが可能となる。 対策としては、SPが(公開鍵チャレンジレスポンスなどで)IdPサーバーを認証してからOpenID認証フローを実行すればよいと思われる。 -- In the Fedi world, it is possible for an IdP to silently shut down its services and the SP is unaware of it. In that case, the attacker can take the expired domain and run a new IdP under his/her control. The attacker can then access all SP accounts associated with the terminated IdP. SPs could avoid this exploit by first validating the IdP server through challenge-response authentication (or anything) before initiating the OpenID authentication flow. |
(identity providerの実装はOAuth本体には含まれていないので、複雑さを下げるため別の作業にしたいと思います) |
Summary
The text was updated successfully, but these errors were encountered: