Open mccutchen opened 5 years ago
mccutchen
commented
5 years ago Note: The old method for request signing (based on a per-upstream shared secret) is documented here: https://github.com/buzzfeed/sso/blob/master/docs/sso_config.md#request-signing
Those docs should probably be deprecated or removed in favor of the new approach!
mccutchen
commented
5 years ago To start, generating an appropriate keypair for sso_proxy to use for signing requests is as simple as
openssl genrsa -out priv.out 2048
Turns out the above generates a key in PKCS#1 format (I think?), but we need one in PKCS#8 format, which requires an extra conversion step. Luckily, this is still relatively straightforward to do in one pass:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform pem -outform pem -nocryptMany thanks to the wizards of Stack Overflow for explaining this.
nebevservian
commented
5 years ago I found the documentation pretty sparse and needed a NodeJS application to verify the signatures.
I created a library at: https://www.npmjs.com/package/signature-verifier-buzzfeed-sso
Hopefully this helps someone.
sporkmonger
commented
5 years ago Is it possible to do request signing with not-RSA?
Is your feature request related to a problem? Please describe.
The public key-based request signing functionality added to sso_proxy in https://github.com/buzzfeed/sso/pull/106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.
Describe the solution you'd like
New documentation for this functionality, ideally accompanied by a reference implementation for verifying a signed request.
To start, generating an appropriate keypair for sso_proxy to use for signing requests is as simple as