search

bspk / oauth.xyz-site

MIT License
7 stars 5 forks source link

Possible to support SHA2 512 hash alg in addition to the current SHA3? #11

Open dmitrizagidulin opened 5 years ago

dmitrizagidulin commented 5 years ago

Currently, the spec requires the hash to be computed using SHA3 512.

Would it be possible to also (or instead) support SHA2 512? (My main reason for the request is - WebCryptography API in the browser supports SHA2 but not 3).

jricher commented 5 years ago

I picked SHA3 initially because I had support for it in my implementation stack and it was a newer alg. It was simpler to build with just one for now, but what I think we actually need to do is some kind of crypto agility. Like the client sends this request:

callback: {
  uri: "https://client.foo/callback?state=blab",
  nonce: "12356431",
  alg: "SHA3-512"
}

Or even if the client sends a set of supported algorithms:

alg: ["SHA3-512", "SHA2-512", "ROT13"]

And when the server returns its nonce it also returns the chosen alg:

server_nonce: "6544321",
alg: "SHA2-512"