-
Ory Hydra
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
The first vulnerability is in the title, OAuth is an Authorization framework (Open Authorization) and is explicitly NOT for authentication. It’s also a delegation protocol (I give you something to do on my behalf).
If you want a list of things that can go wrong, look here: https://tools.ietf.org/id/draft-ietf-oauth-security-topics-1...
Generally you probably do not need OAuth2: https://www.ory.sh/hydra/docs/concepts/before-oauth2/
But if you do don’t roll your own but use proven open source like https://github.com/ory/hydra
> Someone flubbed up and made the "none" algorithm mandatory for spec-compliant implementations.
Which spec are you referring to? 7519? Per section 6 ( https://tools.ietf.org/html/rfc7519#section-6 ) "none" is an optional feature of JWT.
I am not aware of any spec related to OAuth which requires a server to issue or accept a JWT with an algo of "none". Can you point one out to me?
From the AS side, our product won't even allow you to "sign" a JWT with a value of none. I'm not sure about other authorization servers.
And I always recommend that if a resource server ever sees an algorithm of "none" it should throw out the JWT full stop.
> It's a chicken-and-egg problem that the designers missed: you can't trust the token until you've validated it, but you'd have to believe the value of the algo field before you've validated it in order to check the signature.
What is the way around this? Looks like Paseto tokens (an alternative I've heard mentioned) works by not allowing unsigned tokens: https://github.com/paragonie/paseto
Is there another way to fix this?
> There are libraries that will see "none" in the algo field and treat that as "this token doesn't have a signature that needs to be validated, so it's good".
Spooky! Can you share these so I can stay far away from them? :)