Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl: Extend BearerToken message with issuer field #292

Merged
merged 1 commit into from
Mar 4, 2024
Merged

acl: Extend BearerToken message with issuer field #292

merged 1 commit into from
Mar 4, 2024

Conversation

cthulhu-rider
Copy link
Contributor

No description provided.

@cthulhu-rider
acl: Extend BearerToken message with issuer field
f49089f 
Previously, `BearerToken` message had no explicit field for the token
issuer. This could become a limitation on subject identification because
only public key derivation was supported. To prevent this, `issuer`
field is added.

Closes #266.

Signed-off-by: Leonard Lyubich <leonard@morphbits.io>
carpawell
carpawell reviewed Feb 26, 2024
View reviewed changes
Copy link
Member

@carpawell carpawell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does it solve? It can be trusted only if we trust the signature (know key/signature -> container owner (and only the owner as it is said in this PR) relation).

@cthulhu-rider
Copy link
Contributor Author

@carpawell problem is mentioned in the commit

It can be trusted only if we trust the signature

we can be different, needs may vary from app to app. Apps like gateways dont (should not) do validation on their own, at the same time, they could have a need to access the field

@roman-khimov
Copy link
Member

If it's present we can fetch additional data from contracts or in any other way, we can check public key corresponds to it. The way I see it now is we basically have two ways to solve ID (user) issues:

  • map every account to some script via neofsid
  • replace public keys with proper verification scripts in every case we have a signature

This makes the first option easier.

@carpawell
Copy link
Member

carpawell commented Feb 27, 2024
edited
Loading

Apps like gateways dont (should not) do validation on their own, at the same time, they could have a need to access the field

No validation -- GW may consider any issuer, the issuer is not proofed.

If it's present we can fetch additional data from contracts or in any other way, we can check public key corresponds to it.

The same way public key can be sent to a contract to get owner?

@roman-khimov
Copy link
Member

The same way public key can be sent to a contract to get owner?

That's different to me. ID is more abstract than a key, it doesn't imply any specific validation scheme on its own.

@cthulhu-rider
Copy link
Contributor Author

No validation -- GW may consider any issuer, the issuer is not proofed.

dont see any problem with this. GW is GW, it just transmits data back and forth b/w protocols. Self validation is not really good behavior for such entity

@roman-khimov roman-khimov merged commit f3ed513 into master Mar 4, 2024
3 checks passed
@roman-khimov roman-khimov deleted the 266-bearer-token-issuer branch March 4, 2024 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carpawell carpawell carpawell approved these changes

@roman-khimov roman-khimov roman-khimov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cthulhu-rider @roman-khimov @carpawell