public inbox for [email protected]  
help / color / mirror / Atom feed
From: Jacob Champion <[email protected]>
To: mahendrakar s <[email protected]>
To: Andrey Chudnovsky <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
Date: Tue, 29 Nov 2022 13:19:59 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <CABkiuWo-7KPMZ92Jii0FLz=VmQ=2UbnsgWUCqtfuLXGzubB=tg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CAAWbhmiWudPQk2euOQQPPa=o14zCN9U_qLwU1pShKO4A-F9yeA@mail.gmail.com>
	<CACrwV540h9+qgz85aND7jpCcuxD_TOo+fJEg7xs1JKGLMf1N+A@mail.gmail.com>
	<CAAWbhmjiQ-X9w5CqLv__Wcfvg3oJ+hXd9807Lzi=zN9DMTpfFg@mail.gmail.com>
	<CACrwV54_euYe+v7bcLrxnje-JuM=KRX5azOcmmrXJ5qrffVZfg@mail.gmail.com>
	<CAAWbhmiR9D=OG=r9-bkiNw_Sp84qc7ti0PaWA_GWUM_t1PeS=g@mail.gmail.com>
	<CACrwV56g7ZZ9wfbQxcoX5YRdx6kx_HgJjxAM5PQoBV41jpCERw@mail.gmail.com>
	<CABkiuWqp1mog7GiUq+thfn0bqKye=QShe5aVBEVSUDPYyBWKvw@mail.gmail.com>
	<[email protected]>
	<CACrwV54pf-VcL_XmDSWOHtLhiprm9nxORW5LJXocD=yCVq=knQ@mail.gmail.com>
	<CABkiuWo-7KPMZ92Jii0FLz=VmQ=2UbnsgWUCqtfuLXGzubB=tg@mail.gmail.com>

On 11/24/22 00:20, mahendrakar s wrote:
> I had validated Github by skipping the discovery mechanism and letting
> the provider extension pass on the endpoints. This is just for
> validation purposes.
> If it needs to be supported, then need a way to send the discovery
> document from extension.

Yeah. I had originally bounced around the idea that we could send a
data:// URL, but I think that opens up problems.

You're supposed to be able to link the issuer URI with the URI you got
the configuration from, and if they're different, you bail out. If a
server makes up its own OpenID configuration, we'd have to bypass that
safety check, and decide what the risks and mitigations are... Not sure
it's worth it.

Especially if you could just lobby GitHub to, say, provide an OpenID
config. (Maybe there's a security-related reason they don't.)

--Jacob





view thread (198+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: [PoC] Federated Authn/z with OAUTHBEARER
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox