ivarprudnikov
commented
1 year ago This is interesting. OPA clearly says
Implementations should avoid third-party dependencies. If absolutely necessary, consider importing the code manually into the internal package.
which would mean we'd need to copy the cose library functionality somewhere into OPA. This would need to be maintained in two places and would raise questions about versioning I guess.
Also, JWT support is clear, this is a widely used token format. It is a gift to wider JOSE users as it is supported out of the box. COSE on the other hand is not that popular.
Another thing is that their own cryptography extension functions are limited: https://www.openpolicyagent.org/docs/latest/policy-reference/#crypto What value would there be in adding COSE to the list, I bet they have their own priorities? Besides, who would use it and in which scenarios?
OR13
SteveLasker
What is the areas you would like to add the new feature to?
Go-COSE Library
Is your feature request related to a problem?
Yes, but not in this library.
OPA generally does not support COSE, without extension
It does support JOSE very well.
What solution do you propose?
Define some builtins and register them for use, covering the basics of COSE Key and COSE Sign.
https://www.openpolicyagent.org/docs/latest/contrib-adding-builtin-functions/
What alternatives have you considered?
Using JOSE
Any additional context?
I know this is not really the right repo to ask for this, but anything we can do to improve support for COSE in tangent systems, increases the potential use of this library.