go-oidc icon indicating copy to clipboard operation
go-oidc copied to clipboard

Published 20 hours ago verified publisher icon coreos

Message level encryption support?

Open matti777 opened this issue 6 years ago • 2 comments

Hello, I was wondering if there is a nifty way to inject message-level encryption? I am using (and loving) this library for several projects and am now facing implementing this: https://developer.signicat.com/documentation/finnish-trust-network/full-message-level-encryption-for-ftn/

If not, any bright ideas how to add support for it without breaking the current functionality? - I might be able to submit a PR for it after the summer.

I would assume there will be similar needs for message-level encryption arising soon elsewhere too.

matti777 avatar Jul 11 '19 06:07 matti777

This is the upstream spec as far as I can tell: https://openid.net/specs/openid-connect-messages-1_0-20.html

golang.org/x/oauth2 is the package that currently handles the OAuth2 requests (auth request, token request). This would likely be something to let the RemoteKeySet returned by the Provider encrypt data, then the user would be able sub out their own auth and token requests instead of having golang.org/x/oauth2 do it.

What other providers do this? Any idea what attack it's attempting to prevent?

ericchiang avatar Jul 12 '19 18:07 ericchiang

As for the former, I have no answer for this. As for the latter, I am guessing mostly paranoia..

matti777 avatar Jul 15 '19 07:07 matti777