jsdw
commented
5 years ago Hello, thanks for the suggestion!
Could you give me a little more detail on how you'd see this feature working? Perhaps an example of how it might be used?
Open mash-graz opened 5 years ago
jsdw
commented
5 years ago Hello, thanks for the suggestion!
Could you give me a little more detail on how you'd see this feature working? Perhaps an example of how it might be used?
mash-graz
commented
5 years ago unfortunately it's only a very vague idea -- more a nebulous desire, than something which could be simply copied from any already existing similar solution.
if i'm not wrong, wave tries to handle some tasks in very simple but sufficient manner, which are usually only available in much more complex and resource hungry server and cloud setups. this makes it a very attractive choice, to test components during development or even deploy some little custom services in a minimalist working environment. but beside all this routing and static file serving capabilities, which wave already supports in very impressive manner, access control could be seen as practical requirement, which very often should be present even in this kind of radicaly reduced server contexts.
to keep it as simple as possible, i would suggest, do keep it as simple as possible -- i.e. using/supporting only a few manual entries in a plain user/passwd file or sqlite database --, but still handle the actual authentication process as close as possible to common OpenID connect based authentication workflows, to make the actual webpages resp. webservice, which we try to wave together, compatible to common standards as utilized everywhere else nowadays.
there is already a hand full of crates available, to handle the more serious cryptographic tasks related to json web tokens and openid connect processing (e.g. biscuit, jsonwebtoken,... or more general: https://lib.rs/authentication), but most of this stuff doesn't support much more than utilizing one of the well known monopolist id providers in your client side code. IMHO there are no lightweight web authentication solutions available in rust until now, which would cover the whole process also on the server side resp. act as simple id provider.
but access control and security related development is always tedious work, if you want to do it right. and i really don't know, if you share my desire/need for such an extension. perhaps it's just a very crazy idea, which doesn't make much sense from a more objective point of view.
jsdw
commented
5 years ago Thanks for the idea! My gut feeling is that adding more complex auth flows is a little out of the current scope of weave.
Adding basic auth is tempting as it would be relatively little work, and could serve to restrict access to small demos and things that you've hacked together and want to serve on your public interface to show to others. However, this would also benefit greatly from implementing https support, which would require certificates and such. Definitely something I'll think about though, and I welcome any use cases you might have for adding auth mechanisms to weave!
your project looks really interesting! :+1:
i just want to express a feature request, which could make it even more useful:
it would be very helpful, if
weavecould also act as a minimalist (i.e. simple file based) identity provider to test OIDC/JWT gated webservices during development and we wouldn't have to install java based bloatware (keycloak, etc.) for this purpose anymore.i don't know, if this looks realizable and worth the efforts to you, but it's at least a suggestion, which could somehow fit into your applications general concept.