Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ES256 Support in OIDC #5390

Open
1 task done
Adiack06 opened this issue Jan 5, 2025 · 3 comments
Open
1 task done

ES256 Support in OIDC #5390

Adiack06 opened this issue Jan 5, 2025 · 3 comments
Labels
🔨 Feature Request

Comments

@Adiack06
Copy link

Adiack06 commented Jan 5, 2025

Describe the feature you'd like

ES256 implementation for OIDC

Describe the benefits this would bring to existing BookStack users

It would allow the use of the far more secure and up-to-date signing format which is preferable for security especially as RS256 is generally on the way out.
It would also work better for people who use Lets Encrypt for signing certs as that is what they typically provide.

Can the goal of this request already be achieved via other means?

No

Have you searched for an existing open/closed issue?

  • I have searched for existing issues and none cover my fundamental request

How long have you been using BookStack?

Under 3 months

Additional context

No response
@ssddanbrown
Copy link
Member

ES256, following the spec, is ECDSA using P-256 and SHA-256.
Looks like it should be supported by the lib we're already using to verify signatures: https://phpseclib.com/
Would need to check/validate the process/format for certs provided via config, as well as autodiscovery.

Tricky to find any useful information out there regarding widespread use/plans/changes in ES256 use for OIDC.
The JWA spec does mark it as recommended+, hinting at being required in future, so may be a good indicator at specifically supporting ES256 over any other potential algorithm, but not sure about timings around that or realistic use in the OIDC landscape.

@CL107
Copy link

CL107 commented Jan 16, 2025

ES256, following the spec, is ECDSA using P-256 and SHA-256. Looks like it should be supported by the lib we're already using to verify signatures: https://phpseclib.com/ Would need to check/validate the process/format for certs provided via config, as well as autodiscovery.

Tricky to find any useful information out there regarding widespread use/plans/changes in ES256 use for OIDC. The JWA spec does mark it as recommended+, hinting at being required in future, so may be a good indicator at specifically supporting ES256 over any other potential algorithm, but not sure about timings around that or realistic use in the OIDC landscape.

Hi, I've come across this issue as its something id like to see implemented as well. Be it that its marked as recommended+ i guess its not going to take too long for support to come about. In our use case we just need to be able to sign our own auth correctly for security - and unfortunately this is the only thing keeping us away from BookStack.

Although once this is implemented we'll probably be switching straight over from whichever alternative we decide on.

I'll keep an eye on this for any updates on your end as I would love to be able to use BookStack (seems like the best option by far).

@ssddanbrown
Copy link
Member

Be it that its marked as recommended+ i guess its not going to take too long for support to come about.

That is from a 2015 document though, so things aren't moving too fast there.

In our use case we just need to be able to sign our own auth correctly for security

Is there a specific reason that can't be done using RS256?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔨 Feature Request
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ssddanbrown @CL107 @Adiack06