-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add JWE support #440
base: master
Are you sure you want to change the base?
Add JWE support #440
Conversation
Thanks @chrisFrodo - as you've probably realized this is not the most active project right now. I'm sorry for that. I've got a few comments and questions, though.
|
…_response" to "openidc.call_userinfo_endpoint"
…mentation to the README.md
Hi @bodewig ! Following your suggestion I've made some modification on my previous work :
About your question about the cryptographic limitations, the fun begins !
So, as described in the OpenID Connect CORE spec, the jwt lib is not complient on the encryption/decryption aspect. It is in fact lacking the support of the Here are a list of the algorithm that should be supported, the bold ones being mandatory :
Fun fact : the HMAC signature of content encrypted with CBC mode is ment be optional That means some modifications will have to be done on the Hope these answers helped you! |
-- part1 = JOSE Header, part2 = Initialization Vector, part3 = Cyphertext, part4 = Authentication Tag , others are unused | ||
-- or | ||
-- part1 = JOSE Header, part2 = Pre-shared key, part3 = Initialization Vector, part4 = Cyphertext, part5 = Authentication Tag | ||
local jwe_header = cjson.decode(unb64(part1)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't that be urlsafe base64 decoding, i.e. openidc_base64_url_decode
? Also it may be good to use cjson_s and check for an error.
Thanks a lot @chrisFrodo , this looks great apart from the small comment I left inline I wonder whether we need to do something about elliptic curves as well - see also #457 . The EC MR makes me wonder whether it is a good idea to encode lua-resty-jwt's current limitations in lua-resty-openidc as it will always require a new release here if lua-resty-jwt learns new tricks that may be relevant to users of the library. |
Add JWE support that is missing currently, and fix a bug with userinfo