Comments (6)
Firstyear
commented on June 9, 2024
1
Yeah. The previous usecase that almost all requests were related too was to have public clients with localhost redirects - we've solved that now in a more secure, and simpler manner.
from kanidm.
0xC0ncord
commented on June 9, 2024
One use case for this is to have multiple environments where the application is deployed but only one single OAuth2 client, e.g. a production, staging, and dev environment:
- myapp.example.com
- myapp-staging.example.com
- myapp-dev.example.com
from kanidm.
Firstyear
commented on June 9, 2024
One use case for this is to have multiple environments where the application is deployed but only one single OAuth2 client, e.g. a production, staging, and dev environment:
* myapp.example.com * myapp-staging.example.com * myapp-dev.example.com
This use-case is exactly why I don't want to allow multiple origins. You should never mix production staging and dev credentials and application domains. This would allow a dev access token to be usable against a production resource server. So compromise of dev becomes compromise of production.
At the moment by forcing single origin, we force you to have separate security domains between each client, preventing users from making the security mistake in the first place.
from kanidm.
0xC0ncord
commented on June 9, 2024
This use-case is exactly why I don't want to allow multiple origins. You should never mix production staging and dev credentials and application domains. This would allow a dev access token to be usable against a production resource server. So compromise of dev becomes compromise of production.
At the moment by forcing single origin, we force you to have separate security domains between each client, preventing users from making the security mistake in the first place.
I agree I think that's a very compelling reason to not have such a capability. Truthfully I can't think of another use case myself -- I don't personally have a need for this feature. I was searching around for potential use cases based on the fact that Keycloak supports this but the reasoning I provided was the only one I could find.
from kanidm.
TheRealGramdalf
commented on June 9, 2024
I'm really not sure how this is intended to work, but would multiple URLs/URIs be required for e.g. astubenbord/paperless-mobile#374 (using a paperless:// URI with a mobile application)? Or does that only concern the callback URI, since actual authentication happens directly in a web page (which uses the correct URL)?
from kanidm.
yaleman
commented on June 9, 2024
I'm really not sure how this is intended to work, but would multiple URLs/URIs be required for e.g. astubenbord/paperless-mobile#374 (using a
paperless://URI with a mobile application)? Or does that only concern the callback URI, since actual authentication happens directly in a web page (which uses the correct URL)?
That could be a valid use case, but we'd need to see how it worked in general (ie, can it be tested with an RS dedicated to that URL?)
.. though most likely the auth will be against the server's URL, which the app can request a token for using that URL.
from kanidm.
Related Issues (20)
- Using / Decoding Service Account API Tokens results in invalid base64 error HOT 4
- kanidm-unixd stops returning users after a while HOT 4
- Check book for upgrade process
- API: possible to honor uuid as rs_name in calls to /v1/oauth2/{rs_name}? HOT 1
- minor: polish on quickstart
- Error creating oauth2 HOT 4
- Active Directory sync or auth HOT 4
- On richer custom claim values HOT 9
- Schema Violation in validation of modify_pre_apply when upgrading from beta-13 to rc-16 HOT 8
- Add kinda "published" attribute to oauth2 apps HOT 9
- Housekeeping Items
- Oauth2 client configuration parameters visible to users who are not members of the application group HOT 1
- unixd/client - discover servers via dns HOT 5
- last_modified_cid stores the create time
- Allow cli tool to specify and modify group description
- ldap-sync can not use attribute twice
- Shouldn't GET particular resource return 404 "nomatchingentries"?
- Several API inconsistencies IMO HOT 1
- Adding "id" custom claim downs the server HOT 1
- update-scope-map allows submission of invalid array
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kanidm.