fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

#openidconnect

0 posts0 participants0 posts today

I’m *trying* to like #Python again, but PEP-761 requires #sigstore. #OpenPGP key management has issues, but this requires trusting #openidconnect from #Google & #Microsoft. Plus there’s a stated design goal of supporting automated signatures from private keys held by #GitHub.

Easier? Probably. Safer? Probably not. Security is about trust and the required certificate authorities haven’t earned mine over the past 20 years. As always, YMMV.

peps.python.org/pep-0761/

Python Enhancement Proposals (PEPs)PEP 761 – Deprecating PGP signatures for CPython artifacts | peps.python.orgSince Python 3.11.0, CPython has provided two verifiable digital signatures for all CPython artifacts: PGP and Sigstore.

Back in April, I had to fight with Pac4j adding OpenID Connect to an application that, for the first time in many projects, had a public/anonymous section.
Out of frustration, I then created my own project, and now after months of procrastination, I'm releasing 1.0.0-rc-1
github.com/tbroyer/oidc-servle

(and before you ask, the project at work isn't using this, it's still using Pac4j)

GitHubGitHub - tbroyer/oidc-servlets: Servlets and filters to implement an OpenID Connect relying-partyServlets and filters to implement an OpenID Connect relying-party - tbroyer/oidc-servlets

Edit: This has been answered :flan_hurrah:

I'm super confused after reading thread-safe.com/2012/01/proble and its take-home message that we should *not* be using #OAuth2 for authentication: that's what #OpenIDConnect is for.

If that's the case, why does #Forgejo, Gitea etc. allow OAuth2 to be used this way?

That blog post was from 2012 but I've seen the same advice in 2019 at github.com/zmartzone/lua-resty : “OAuth 2.0 cannot be used for user authentication”. (That GH issue is part of what I'm chasing down as part of dev work.)

www.thread-safe.comThe problem with OAuth for Authentication.I want to thank Nat Sakimura for doing a version of this post in Japanese . In some of the feedback I have gotten on the openID Connect sp...