import { useEffect, useState } from "react"; import "./App.css"; import Profile from "./components/profile/Profile"; function App() { // Extracting the 'code' parameter from the URL query string (used for authorization) const urlParams = new URLSearchParams(window.location.search); const code = urlParams.get("code"); // State to store the retrieved user data const [data, setData] = useState(null); // State to indicate if data is being fetched const [loading, setLoading] = useState(false); // Runs whenever the 'code' variable changes (likely on authorization flow) useEffect(() => { const token = localStorage.getItem("token"); if (token) { setLoading(true); // Set loading to true while fetching data fetch("https://api.github.com/user", { headers: { Authorization: token }, }) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data); // Update state with fetched user data setLoading(false); // Set loading to false when done fetching }); } else if (code) { // If no token but 'code' is available (GitHub OAuth flow) setLoading(true); // Set loading to true while fetching data fetch( `http://localhost:8589/oauth/redirect?code=${code}&state=YOUR_RANDOMLY_GENERATED_STATE` ) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data.userData); // Update state with user data from response localStorage.setItem( "token", `${data.tokenType} ${data.token}` ); // Store access token in local storage setLoading(false); // Set loading to false when done fetching }); } }, [code]); // Function to redirect the user to the GitHub OAuth authorization page function redirectToGitHub() { const client_id = "blah blah"; const redirect_uri = "http://localhost:5173/"; const scope = "read:user"; const authUrl = `https://github.com/login/oauth/authorize?client_id=${client_id}&redirect_uri=${redirect_uri}&scope=${scope}`; window.location.href = authUrl; } // Conditionally render content based on loading state and data availability if (loading) { return

Loading...h4>; } if (data) { return ; } return ( <>

Login to MyApph1> Login with GitHub button> div> ); } export default App;

import hashlib from datetime import datetime import httpx from fastapi import APIRouter, HTTPException, Query from app.config import settings from app.utilities.db import db from .models import OauthException, OauthToken router = APIRouter() @router.get( "/callback", response_model=OauthToken, responses={ 400: {"description": "Oauth Error", "model": OauthException}, }, ) async def oauth_callback( code: str = Query(description="Authorization Code"), ) -> OauthToken: """ GitHub Oauth Integration Callback """ async with httpx.AsyncClient() as client: token_result = await client.post( "https://github.com/login/oauth/access_token", json={ "client_id": settings.github_oauth_client_id, "client_secret": settings.github_oauth_client_secret, "code": code, "redirect_uri": "http://localhost:8000/v1/auth/callback", }, headers={"Accept": "application/json"}, ) data = token_result.json() error = data.get("error") if error: raise HTTPException( status_code=400, detail=f"{data.get('error')}: {data.get('error_description')}", ) access_token: str = data.get("access_token") user_result = await client.get( "https://api.github.com/user", headers={"Authorization": f"Bearer {access_token}"}, ) user_data = user_result.json() user = user_data.get("login") await db.tokens.insert_one( { "user": user, "access_token_hash": hashlib.sha256(access_token.encode()).hexdigest(), "created_date": datetime.utcnow(), }, ) return OauthToken(access_token=access_token)

The actual URL is https://github.com/login/oauth/authorize?client_id=bbb58b28cdd98636e3e2&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fcallback&scope=user%3Aemail&response_type=code

GOOGLE_CLIENT_ID = os.environ["GOOGLE_CLIENT_ID"] GOOGLE_CLIENT_SECRET = os.environ["GOOGLE_CLIENT_SECRET"] GOOGLE_TOKEN_URL = "https://www.googleapis.com/oauth2/v4/token" GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth" GITHUB_CLIENT_ID = os.environ["GITHUB_CLIENT_ID"] GITHUB_CLIENT_SECRET = os.environ["GITHUB_CLIENT_SECRET"] GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token" GITHUB_AUTH_URL = "https://github.com/login/oauth/authorize"

export const GET = async ({ cookies }) => { const state = generateRandomString(40); // I recommend using nanoid cookies.set("github_oauth_state", state, { httpOnly: true, secure: !dev, // disable when using localhost maxAge: 60 * 60 // 1 hour expiry, path: "/" }); const authorizationUrlSearchParams = new URLSearchParams({ client_id: GITHUB_CLIENT_ID, state }); const authorizationUrl = https://github.com/login/oauth/authorize?${authorizationUrlSearchParams}; // redirect to authorization url return new Response(null, { status: 302, headers: { Location: authorizationUrl } }); } ```

services.AddCookie("Google-Cookie") .AddOAuth("Google", options => { options.SignInScheme = "Google-Cookie"; options.ClientId = configuration["ClientId"]>; options.ClientSecret = configuration["ClientSecret"]; options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; options.TokenEndpoint = "https://github.com/login/oauth/access_token"; options.UserInformationEndpoint = "https://api.github.com/user"; options.CallbackPath = "/api/Google-Redirect"; options.Scope.Clear(); options.Scope.Add("read:user"); options.SaveTokens = true; // Not sure what does this do options.Events.OnCreatingTicket = async context => { using var request = new HttpRequestMessage(HttpMethod.Get, options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); using var result = await context.Backchannel.SendAsync(request); var user = await result?.Content?.ReadFromJsonAsync(); context.RunClaimActions(user); // I don't think this is needed // Create claims for the token var claims = new Claim[] { new Claim(ClaimTypes.Name, user.Name), new Claim(ClaimTypes.Email, user.Email) }; // Create the token var token = new JwtSecurityToken( issuer: configuration["JWT_Issuer"], audience: configuration["JWT_Audience"], claims: claims, expires: DateTime.UtcNow.AddHours(1);, signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JWT_Secret"]));, SecurityAlgorithms.HmacSha256) ); // Generate the token string var tokenString = new JwtSecurityTokenHandler().WriteToken(token); context.Response.Cookies.Append("X-Access-Token", tokenString, new CookieOptions() { HttpOnly = true, SameSite = SameSiteMode.Strict }); }; } );

# Verify the content of the artifact at the given digest, as well as the fact # that the signature has been created by a GitHub actor with the given email. $ cosign verify ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c \ --certificate-oidc-issuer https://github.com/login/oauth \ --certificate-identity [email protected] Verification for ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates

@Bean ClientRegistrationRepository clientRegistrationRepository(JdbcTemplate jdbcTemplate) { JdbcClientRegistrationRepository jdbcClientRegistrationRepository = new JdbcClientRegistrationRepository(jdbcTemplate); ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("github") .clientId("123456") .clientSecret("123456") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}") .scope(new String[]{"read:user"}) .authorizationUri("https://github.com/login/oauth/authorize") .tokenUri("https://github.com/login/oauth/access_token") .userInfoUri("https://api.github.com/user") .userNameAttributeName("login") .clientName("GitHub").build(); jdbcClientRegistrationRepository.save(clientRegistration); return jdbcClientRegistrationRepository; }

const oauthUri = `https://github.com/login/oauth/authorize?client_id=${process.env.NEXT_PUBLIC_GH_CLIENT_ID}&scope=user:email,read:user&redirect_uri=http://localhost:3000/api/auth`

var builder = WebApplication.CreateBuilder(args); builder.Services.AddAuthentication() .AddOAuth("github", o => { o.ClientId = "###"; o.ClientSecret = "###"; o.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; o.TokenEndpoint = "https://github.com/login/oauth/access_token"; o.CallbackPath = "/oauth/github-cb"; o.UserInformationEndpoint = "https://api.github.com/user"; }); var app = builder.Build(); app.MapGet("/", (HttpContext context) => { return context.User.Claims.Select(x => new { x.Type, x.Value }).ToList(); }); app.MapGet("/login", () => { return Results.Challenge(authenticationSchemes: new List() { "github" }); }); app.Run(); --------------------------------------------- dotnet : Stack overflow. At line:1 char:1 + dotnet watch --no-hot-reload 2> output.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (Stack overflow.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError at System.Collections.Generic.Dictionary`2[[Microsoft.Extensions.DependencyInjection.Servi ceLookup.ServiceCacheKey, Microsoft.Extensions.DependencyInjection, ...Goes on for an other 60.000 lines

Cosign: In this context, Cosign from the Sigstore project offers a compelling solution. Its simplicity, registry compatibility, and effective link between images and their signatures provide a user-friendly and versatile approach. The integration of Fulcio for certificate management and Rekor for secure logging enhances Cosign's appeal, making it particularly suitable for modern development environments that prioritize security and agility.

sigstore is another suite of tools that focuses on attestation and provenance. Within the suite are two tools I heard mentioned a few times at KubeCon: Cosign and Rekor.

Since we can distribute Spin applications using popular registry services, we can also take advantage of ecosystem tools such as Sigstore and Cosign, which address the software supply chain issue by signing and verifying applications using Sigstore's new keyless signatures (using OIDC identity tokens from providers such as GitHub).

Use distroless images (which contain only application and its runtime dependencies, and don't include package managers/shells or any other programs you would expect to find in a standard Linux distribution). All distroless images are signed by cosign.

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.pem --signature https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.sig https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64

Another thing to look for is, whether the image is signed using something like cosign (https://github.com/sigstore/cosign). This lets the publisher digitally sign the image, so you at least know that what's on the registry is what they intended to put there. Handy to avoid the risks of attackers squatting similar names and catching typos.

i’m late but surprised no one has mentioned cosign

name: Docker # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. on: push: branches: [ "main" ] # Publish semver tags as releases. tags: [ 'v*.*.*' ] pull_request: branches: [ "main" ] paths: - src/MamisSolidarias.WebAPI.Campaigns/Dockerfile - .github/workflows/docker-publish.yml workflow_dispatch: env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io IMAGE_NAME: mamis-solidarias/campaigns jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@main with: cosign-release: 'v1.13.1' - name: Set up QEMU uses: docker/setup-qemu-action@v2 with: platforms: 'arm64' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=schedule type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v3 with: context: . platforms: linux/amd64, linux/arm64 file: src/MamisSolidarias.WebAPI.Campaigns/Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

After inspecting the layers i think you should start thinking about signing your images: https://github.com/sigstore/cosign/

cosign