Alternatives to RSA algorithm?
169 views
Skip to first unread message
Marian Steinbach
Jan 24, 2017, 3:57:03 AM1/24/17
to dex-dev
Hi,
I'm currently testing dex to evaluate whether it can become out OIDC provider.
Searching the repository only revealed one issue that seemed unrelated.
Thanks
Marian
Eric Chiang
Jan 24, 2017, 11:36:33 AM1/24/17
to Marian Steinbach, dex-dev
Marian,
> It seems as if dex (current master) issues JWT tokens using the RS256 algorithm.
OpenID Connect defaults to this value unless a client specifically
requests something else, so this is dex's default. We do have an issue
open to support different signing algorithms[0] and have some internal
code that's structured to support this in the future. Would be happy
to expand in that issue for anyone looking to take on adding that
support.
> This algorithm isn't supported by all libraries working with JWT, so I wonder if it's possible to configure dex to use different algorithms, like HS256.
HS256 is a symmetric signing algorithm with a shared, secret key.
Since OpenID Connect servers advertise their keys, it's not
appropriate to use the HMAC based algorithms
Do you mean ES256 or ECDSA flavors like PS256?
Eric
[0] https://github.com/coreos/dex/issues/692
> --
> You received this message because you are subscribed to the Google Groups
> "dex-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dex-dev+u...@googlegroups.com.
> To post to this group, send email to dex...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dex-dev/43b14ea6-e5ba-47ed-aeef-0f0fcb138f3e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> It seems as if dex (current master) issues JWT tokens using the RS256 algorithm.
requests something else, so this is dex's default. We do have an issue
open to support different signing algorithms[0] and have some internal
code that's structured to support this in the future. Would be happy
to expand in that issue for anyone looking to take on adding that
support.
> This algorithm isn't supported by all libraries working with JWT, so I wonder if it's possible to configure dex to use different algorithms, like HS256.
Since OpenID Connect servers advertise their keys, it's not
appropriate to use the HMAC based algorithms
Do you mean ES256 or ECDSA flavors like PS256?
Eric
[0] https://github.com/coreos/dex/issues/692
> You received this message because you are subscribed to the Google Groups
> "dex-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dex-dev+u...@googlegroups.com.
> To post to this group, send email to dex...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dex-dev/43b14ea6-e5ba-47ed-aeef-0f0fcb138f3e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Marian Steinbach
Jan 25, 2017, 4:33:51 AM1/25/17
to Eric Chiang, dex-dev
On Tue, Jan 24, 2017 at 5:36 PM, Eric Chiang wrote:
... We do have an issue
open to support different signing algorithms[0] and have some internal
code that's structured to support this in the future.
Thanks for the info!
Would be happy
to expand in that issue for anyone looking to take on adding that
support.
> This algorithm isn't supported by all libraries working with JWT, so I wonder if it's possible to configure dex to use different algorithms, like HS256.
HS256 is a symmetric signing algorithm with a shared, secret key.
Since OpenID Connect servers advertise their keys, it's not
appropriate to use the HMAC based algorithms
Yeah, I understood that meanwhile. Asymmetric keys as in RSA appear to be a much better choice for any production system. So in fact I can no longer advocate a requirement to implement HS256 or anything else in dex. Sorry for the noise ;-)
Marian
Reply all
Reply to author
Forward
0 new messages