Skip to content

Biscuit integration #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
daeMOn63 wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Biscuit integration #72

daeMOn63 wants to merge 17 commits into from

Conversation

@daeMOn63
Copy link
Contributor

@daeMOn63 daeMOn63 commented Oct 13, 2020

Introduced AccessTokenBuilder type, responsible of access token generation, with an instance provided at hubauth service creation.

Created a BearerBuilder, which is the default out of the box selected builder, generating the actual oauth signed access tokens.
Created a BiscuitBuilder allowing to generate biscuit access token. It can be enabled by following the readme instructions

Added a biscuit package, exposing helpers for signed biscuit generation, signature and verification, its aimed to be included in both client and audience applications, so maybe we'll need to move it somewhere else to not embed the full hubauth there.

Added a /public-key endpoint, serving the hubauth public key

Modified /token endpoint, to accept an extra b64 encoded public key string parameter

The generated biscuit features:

  • audience signature, using the audience kms key.
  • user signature requirement, with an ecdsa p256 public key provided by the user when exchanging the code.
  • expiration time, with the same duration as bearer tokens had.
  • metadata, for transmitting userID / email to the audience.

@daeMOn63 daeMOn63 requested a review from titanous October 13, 2020 12:52
@daeMOn63 daeMOn63 mentioned this pull request Oct 13, 2020
Closed
@daeMOn63 daeMOn63 force-pushed the biscuit_integration branch 2 times, most recently from b851540 to cce7101 Compare October 21, 2020 13:52
@daeMOn63 daeMOn63 mentioned this pull request Nov 10, 2020
Open
@daeMOn63 daeMOn63 force-pushed the biscuit_integration branch from cce7101 to 249a3e9 Compare December 11, 2020 08:26
daeMOn63 and others added 17 commits December 16, 2020 15:21
@daeMOn63
idp: extract access token generation
1058a83
@daeMOn63
add biscuit wrappers and helpers to generate, sign and verify hubauth…
1e1e57b 
… biscuits
@daeMOn63
idp/token: split builder in multiple files
d93cd0c
@daeMOn63
add biscuit metadata and expiration date
70ca6eb 
Verifiers must now provide the current time for verifying the biscuit,
and can extract user informations.

User's pubkeys are now provided in http param when exchanging code.
Removed block count from biscuit weakening the signature.
@daeMOn63
update returned token type to depend on configured builder
ff94986
@daeMOn63
add access token builder creation switch from env
05ff6ec
@daeMOn63
add /public-key HTTP endpoint
fd3d952
@daeMOn63
update biscuit verify audience key type to use *ecdsa.PublicKey inste…
f990c69 
…ad of *kmssign.Key
@daeMOn63
simplify http public key encoding
049c5ed
@daeMOn63
add helper to create UserKeyPair from an ecdsa.PrivateKey
a1bac27
@daeMOn63
cleanup
a689315
@daeMOn63
add biscuit setup instructions in readme
1a6f0da
@daeMOn63
renamed signedPbBuilder to bearerBuilder
d313f9c
@daeMOn63
extracted user signature nonce and timestamp
a7e1424
@daeMOn63
idp/token: add biscuit tests
00aaddc
@daeMOn63
moved biscuit pkg to biscuit-go repo
75f4e5c
@daeMOn63
go mod tidy
f7f02c7
@daeMOn63 daeMOn63 force-pushed the biscuit_integration branch from 249a3e9 to f7f02c7 Compare December 16, 2020 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@titanous titanous Awaiting requested review from titanous

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daeMOn63