search

cakephp / authentication

Authentication plugin for CakePHP. Can also be used in PSR7 based applications.
MIT License
117 stars 100 forks source link

PASETO authenticator and identifier #538

Closed cnizzardini closed 1 year ago

cnizzardini commented 2 years ago

This is a rough draft implementation of PASETO (Platform Agnostic Security Tokens). This supports local symmetric keys and public asymmetric keys, but does not yet have support for keyrings and PASERK which gives functionality similar to JWKS. If there is interest in this I can add support for those items as well as unit tests and docs.

Usage:

Usage is fairly similar to the JWT Authenticator with the addition of a few keys:

        $service->loadIdentifier('Authentication.PasetoSubject');
        $service->loadAuthenticator('Authentication.Paseto', [
            'purpose' => PasetoAuthenticator::LOCAL, // or PasetoAuthenticator::PUBLIC
        ]);

There is also a version which takes an implementation of ProtocolInterface but defaults to the latest version in paseto (currently v4).

Using the public option is a little PITA to generate keys and I'd like to get a shell command added to the main paseto lib to easily generate the public/private key pairs.

Building a local token:

        /** @var ResultInterface $result **/
        $key = SymmetricKey::v4(Security::getSalt());

        $token = (new Builder())
            ->setKey($key)
            ->setSubject($result->getData()->get('id'))
            ->setVersion(new Version4)
            ->setPurpose(Purpose::local())
            // Set it to expire in one day
            ->setIssuedAt()
            ->setNotBefore()
            ->setExpiration(
                (new DateTime())->add(new DateInterval('P01D'))
            )
            // Store arbitrary data
            ->setClaims([
                'claim_data' => 'is encrypted',
            ])
            ->setFooterArray([
                'footer_data' => 'is unencrypted but tamper proof'
            ]);

Reference:

othercorey commented 2 years ago

@cnizzardini After fixing the phpstan error, can you squash the commits?

othercorey commented 2 years ago

@cnizzardini Can you follow up on this?

cnizzardini commented 2 years ago

Its on my mind, some personal items getting in the way of freetime dev right now. Gimme a few days.

On Tue, Jun 21, 2022 at 3:24 PM othercorey @.***> wrote:

@cnizzardini https://github.com/cnizzardini Can you follow up on this?

— Reply to this email directly, view it on GitHub https://github.com/cakephp/authentication/pull/538#issuecomment-1162228958, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABJ2HTI5QLF42KM6QV7XJTVQIJFLANCNFSM5XFS2CZA . You are receiving this because you were mentioned.Message ID: @.***>

othercorey commented 2 years ago

@markstory can you take another look?

github-actions[bot] commented 1 year ago

This pull request is stale because it has been open 30 days with no activity. Remove the stale label or comment on this issue, or it will be closed in 15 days