Mark Laing
Mark Laing
> The `c.flagAcceptCert` makes me thinking. Is there ever a case where you would provide a token which doesn't contain the servers fingerprint? Because if not we could also think...
> @markylaing when you get a moment I'd appreciate your thoughts on how we could approach this one. > > Could we encode (& encrypt) the necessary info in the...
I've been thinking a little more on this. A better approach might be to use the same cookie encryption mechanism as with browser cookies. We can use the session ID...
> I've been thinking a little more on this. > > A better approach might be to use the same cookie encryption mechanism as with browser cookies. We can use...
Another idea for this: Set up a background task in LXD to generate a UUID or token and store it in the database. The UUID should be overwritten on a...
For the first point, we already rotate cookie encryption keys for the OIDC verifier every 5 minutes and haven't encountered this issue. I'd say the configurable duration should be not...
> question: why is it safe to use the same nonce + key pair multiple times? AFAICT the securecookies lib is using AES CTR, which has the weakness that if...
I've gained access to an EntraID tenant to check the status of OIDC auth with LXD and I can't recreate this behaviour. One thing that is possible is that your...
Some initial thoughts on this: - The request address is set to `@devlxd` for "security checks". In reality this just enforces that the request uses the exact fingerprint. - All...
> Currently, the `GET /1.0/auth/permissions?entity-type=` API endpoint returns data in a non-deterministic order. Would it be possible to sort the data server-side before sending the response? In the UI, we...