13
39
Fork
You've already forked forte
10

Comments / questions on OpenWebAuth V4 #35

Merged
streams merged 6 commits from FenTiger/forte:openwebauth-v4 into dev 2025年07月14日 21:08:07 +02:00
Contributor
Copy link

My comments / questions from here as a PR.

Hopefully splitting it up like this will make things clearer.

Sorry for not getting to this sooner - it's been very hot here.

My comments / questions from [here](https://zotum.net/channel/fentiger?mid=a41ba10a-cd7c-4486-8b14-7ca4e47a0ef4) as a PR. Hopefully splitting it up like this will make things clearer. Sorry for not getting to this sooner - it's been very hot here.
No material changes; I've just combined the two "Discovery" sections
into one, and added some headings to separate the protocol into steps.
Also update the "last change" date.
This has implications for the way they are cached.
This is an opaque value which is provided by the target instance when
it does the initial redirect, and is reflected back to it in the token
request and in the final redirect.
This allows it to do two things:
- Positively identify which active login flow is responsible for each
 token request. This makes the data structure management a bit simpler
 for applications like mine which fetch the AP actor record up front
 rather than from the token endpoint; this will also allow me to reject
 any token requests which come "out of the blue" rather than being
 triggered by a previous request to the protected resource URL, which
 makes me feel a bit more comfortable even though I'll admit that I
 don't have a specific attack in mind
- Identify which active login flow is responsible for the subsequent
 request to the destination URL. This allows me to use a single
 destination URL for all OWA flows, meaning that only that endpoint
 needs to be able to handle the "owa_token" parameter; I can use the
 "owa_state" to look up the active flow and find the user's original
 destination URL. This is also possible by embedding the state
 parameter into the destination URL rather than providing it
 separately, but as I mentioned above, it would be convenient to have
 it present in the token request too.
It's a bit of a departure, but it saves a round trip and offers a bit
more flexibility about what information is provided.
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
fortified/forte!35
Reference in a new issue
fortified/forte
No description provided.
Delete branch "FenTiger/forte:openwebauth-v4"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?