-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PARTNER-275] Add Authorization header for SEP-10 GET /Auth #1470
Conversation
eaa9487
to
4f37f5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like its 90% there! I added some clarifying questions. Also don't forget to update the version and updated-at field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the repeated delay, a couple more questions / ideas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm
ecosystem/sep-0010.md
Outdated
Client must then correctly sign the payload with appropriate Stellar private key. To choose the private key client | ||
application should follow this steps: | ||
|
||
- If `client_domain` is specified, the token must be signed with the _Client Domain Account_ (i.e. [SEP-1] defined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- If `client_domain` is specified, the token must be signed with the _Client Domain Account_ (i.e. [SEP-1] defined | |
- If `client_domain` is specified, the token must be signed with the **Client Domain Account** (i.e. [SEP-1] defined |
…1303) ### Description - Implementation of the protocol change [stellar/stellar-protocol#1470: Add Authorization header for SEP-10 GET /Auth) - Migration to the latest version of JJWT library - Improvement of working with secrets in the code - Improved JWT secret validation ### Context - Protocol change - Old JJWT library doesn't have a good support for the algorithm used by the protocol change - Refactored how we work with JWT secrets in the code: use SecretKey instead of Sting - Previously, weak keys were not validated properly and was allowed to use, even though it's against the guidelines. Now, this keys are properly validated using underlying JJWT library. ### Testing - `./gradlew test` - Add tests for SEP-10 auth header ### Documentation N/A ### Known limitations N/A
In the protocol change, an optional Authorization header was added for
GET <WEB_AUTH_ENDPOINT>
endpoint. The header should contain a signed JWT token (using ed25519) with an appropriate key from the request.For custodial applications, this is a primary Application key, provided in
account
field.For non-custodial, this will be the
SIGNING_KEY
from toml file hosted in theclient_domain
The server will validate that the signature is correct, and that URL in the JWT corresponds to the request. It can optionally filter out requests from all clients that are not allowed by the server.