Closed zbiljic closed 10 months ago
oxyno-zeta
commented
10 months ago Hello @zbiljic ,
Sorry for being so late. I miss the notification about your issue.
I've checked the PASETO website and I must admit that I'm a bit surprised by this. It is the first time I'm seeing this. I made some researched and I cannot find any provider for that technology. Do you have one like Okta, Google, ... ?
Oxyno-zeta
zbiljic
commented
10 months ago No problem @oxyno-zeta, your response caught me on vacation (reason for my late reply).
The PASETO is not any kind of provider (like Okta or Google), but an type of token that can be used (similar to JWT). Currently many providers actually use JWTs for ID tokens. These ones are just "simpler" version of it. They are closer in nature to Basic Auth then to some external provider.
My plan was to maybe after this one add support for JWTs also.
After I opened this issue to ask, and made all the changes, I started considering maybe creating separate service, which can just do authentication, and leverage existing "Header configuration authorization" here. In that case there would not be a need for this. Of course if you are still interested in having this I could proceed with this also.
oxyno-zeta
commented
10 months ago Hi @zbiljic ,
After a bit of time, I think that having a proxy that will set headers is a good solution.
I don't see a lot of projects using PASETO and I prefer not to have it at the moment.
Thanks for your proposal.
Have a nice day,
Oxyno-zeta
zbiljic
commented
10 months ago Sure thing, I completely understand.
Will close this issue.
It would be nice to have "scalable" authentication method which does not require involving additional services. Basic authentication does not require additional service, however it does require specifying each user separately.
Most well-known are probably JSON Web Tokens (JWT), however there are other options also.
Describe the solution you'd like I would like to propose adding support for another authentication method. The PASETO is specification for secure stateless tokens (similar to JWT, but "simpler" to use). With this (or JWT), one could create "secure" tokens on 'another service' (which can have expiry time, and contain arbitrary claims), which can be parsed and verified by the 's3-proxy'. Both 'another service' and 's3-proxy' would just need to have same shared-key or private key on 'another service' and public key on 's3-proxy' configured.
Describe alternatives you've considered I have tried current authentication options, but as I mentioned they either require managing external auth service, or "fixed" configuration (for Basic auth).
Additional context The JSON Web Tokens (JWT) may be better idea to implement, since people may be better acquainted with, however PASETO seemed like easier thing to implement.
I am not writing this issue so much to request this feature, but more to ask if this is something that would be accepted if I were to create a PR for it?
Regarding that, I already have pretty much everything implemented. Only thing left is to find where to add some additional tests, and to update the documentation, and I could create a PR.