Comments (2)
Hi, this looks similar to an open PR in biscuit-go biscuit-auth/biscuit-go#130
The token format still requires to have access to the private key for non-authority blocks, but I think that would be okay in this scenario, we only care about delegating signature to a KMS for the authority block (and third-party blocks, but that's similar).
Agree on putting it behind a feature flag because this increases the risk of misuse a lot.
from biscuit-rust.
Adding an external sign
interface would be the minimal solution. The requirement for direct private key access is the main limiting factor of being able to integrate biscuits with modern key management systems, where direct access to the private key is not possible
I would add a stretch goal to ensure that verify
functionality, in addition to sign, is able to be externalized from biscuits as well.
Some users will want to use their key management service's verify functionality, and some will want to cache public keys locally rather than making that network request on each verification.
Thanks for the work you do 🙏 No urgency from our side to accommodate this use case- we may return to biscuits for our use case at a later time
from biscuit-rust.
Related Issues (20)
- Parsing chained method calls HOT 1
- Datalog boolean expression == does not evaluate properly HOT 3
- CLI long execution time HOT 3
- boolean logic should be lazy
- samples validation failure HOT 3
- Make biscuit-auth token::RootKeyProviter public HOT 3
- use separate version git tags for the different crates
- Detect free variables in expressions
- `RUSTSEC-2022-0093` security advisory
- Support heterogeneous sets
- `query_exactly_one()`
- Can't query facts added with authorizer_merge! HOT 2
- Non-deterministic output of `Authorizer.dump_code()` HOT 1
- Hidden state in `Authorizer` HOT 1
- Merging block builders with scope annotations
- Consider adding `impl TryFrom<Fact> for String` HOT 1
- Create new release HOT 1
- Proposal: Use padding free Base64 encoding/decoding HOT 4
- Cleanup free variables detection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biscuit-rust.