8:14 a.m.
Relying on a stale package such as `github.com/coreos/go-oidc.v1` is really annoying for a
security product.
Moreover, this library has no support for tokens with an EC signature.
I've tried a bit to remove this but I felt like the choice of a proper library should
be discussed.
Here is my two cents:
- coreos/go-oidc.v2 does not add much compared to stdlib `x/oauth2`: there is remote
JWKS fetcher which might be useful, although this is in fact `square/go-jose` that does
the heavy lifting here
- I found `square/go-jose` good enough for JWK and JWKS, but rather unpractical for
JWT. I found `dgrijalva/jwt-go` much handier when it comes to manipulate JWT
Any ideas / challenges around for a proper choice of dependencies here?
Cheers,
Frédéric
frederic.bidon(a)yahoo.com
1:45 a.m.
Bruno - can you reply to this please?
On Tue, 8 Jan 2019 at 15:19, BIDON Frederic <fredbi(a)yahoo.com> wrote:
Relying on a stale package such as `github.com/coreos/go-oidc.v1`
<http://github.com/coreos/go-oidc.v1> is really annoying for a security
product.
Moreover, this library has no support for tokens with an EC signature.
I've tried a bit to remove this but I felt like the choice of a proper
library should be discussed.
Here is my two cents:
- coreos/go-oidc.v2 does not add much compared to stdlib `x/oauth2`:
there is remote JWKS fetcher which might be useful, although this is in
fact `square/go-jose` that does the heavy lifting here
- I found `square/go-jose` good enough for JWK and JWKS, but rather
unpractical for JWT. I found `dgrijalva/jwt-go` much handier when it comes
to manipulate JWT
Any ideas / challenges around for a proper choice of dependencies here?
Cheers,
Frédéric
frederic.bidon(a)yahoo.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:52 a.m.
On 2019-01-14, Stian Thorgersen wrote:
Bruno - can you reply to this please?
Of course, we discussed this some time ago
https://github.com/keycloak/keycloak-gatekeeper/pull/407#issuecomment-409.... But just
in case, it was missed, I'm adding some answers/questions inline.
On Tue, 8 Jan 2019 at 15:19, BIDON Frederic <fredbi(a)yahoo.com> wrote:
>
> Relying on a stale package such as `github.com/coreos/go-oidc.v1`
> <http://github.com/coreos/go-oidc.v1> is really annoying for a security
> product.
Hi Frederic, I understand your concern, if you found some
security issue, please do not hesitate to send us an e-mail to
keycloak-security mailing list with all the details
https://www.keycloak.org/security.html.
We had to remove all the forks from gambol99 repository and move to the official
repositories. Do a full upgrade of dependencies would take a considerable time, due to the
break of API compatibility.
That's the reason why we decided to postpone it.
>
> Moreover, this library has no support for tokens with an EC signature.
You are correct, that's our plan to upgrade all the dependencies soon.
>
> I've tried a bit to remove this but I felt like the choice of a proper
> library should be discussed.
>
> Here is my two cents:
>
> - coreos/go-oidc.v2 does not add much compared to stdlib `x/oauth2`:
> there is remote JWKS fetcher which might be useful, although this is in
> fact `square/go-jose` that does the heavy lifting here
> - I found `square/go-jose` good enough for JWK and JWKS, but rather
> unpractical for JWT. I found `dgrijalva/jwt-go` much handier when it comes
> to manipulate JWT
Could you please elaborate more on why do you think it's unpractical?
>
> Any ideas / challenges around for a proper choice of dependencies here?
The initial idea is to upgrade the following dependencies:
* From coreos/go-oidc/oauth2 to golang/x/oauth2
* From coreos/go-oidc/jose to square/go-jose
* From coreos/go-oidc/oidc to coreos/go-oidc (v2)
Also, the work on this was not started yet, so absolutely nothing is set in stone.
>
> Cheers,
>
> Frédéric
> frederic.bidon(a)yahoo.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
2173
days inactive
2179
days old
2 comments
3 participants
participants (3)
-
BIDON Frederic -
Bruno Oliveira -
Stian Thorgersen