Comments (5)
Hi! Sorry for such a delay with the answer π€¦ββοΈ
Would you be opposed to exposing a backend-agnostic API to import, export and generate asymmetric keys?
Do you mean using one-size-fits-all data types for all cryptographic backends? (That is, a data type for an "signing key".) Or for data types within a single algorithm with possible multiple backends? (That is, a data type for a "Ed25519 signing key".) I'm soft-opposed to the first idea; one of motivations behind the crate was type safety, which is hard to achieve with such all-encompassing types. Regarding the second idea, I'm more welcoming, but I'd like to elaborate on it still.
Even in the
jwt-compact
test suite, this is not convenient, as individual tests have to be written according to every possible backend.
I don't think that exposing backend-specific types is a bad idea per se. In the current crate architecture, it's the developer responsibility to enable the backend, and the key management is (intentionally) moved out of the area of responsibility of the crate - backends (usually) know how to deal with keys secure, and introducing additional layer of abstraction just increases the risks of something going terribly wrongβ’, IMO.
Regarding the tests specifically, this is issue specific to tests. I think in most of use cases the library user will deal with fewer backends than are supported by the library, and certainly won't have to deal with the "overlapping" backends for the same crypto algorithm.
from jwt-compact.
Hi!
I meant the later. Having backend-independent types for a given algorithm.
Creating a key currently requires diving into the documentation of unrelated crates. Switching backends (e.g. using ed25519-compact
in a WebAssembly envirionment and dalek
otherwise) requires different code.
Since the backends are not re-exported, applications also have to explicitly reimport them, and make sure to import the same version as jwt-compact
.
This makes usage of jwt-compact
more complicated and confusing than it could, and the HS*
schemes API inconsistent with asymmetric schemes.
from jwt-compact.
@jedisct1 I've sketched the abstraction layer in #16. Does it look passable to you, or is some functionality missing?
from jwt-compact.
Looking good!
I'm wondering if generate()
couldn't eventually be a trait as well. But your changes are nice and clean.
from jwt-compact.
Moved the remaining part of the issue to #26.
from jwt-compact.
Related Issues (19)
- ability to extract signature and signed bytes from Token/UntrustedToken HOT 1
- Make more types non-exhaustive
- Add more details in `ValidationError`
- Investigate key generation as a trait HOT 1
- no_std support for rsa HOT 7
- Compiling with CBOR support causes compile time errors from `serde_cbor` HOT 3
- Support ES256 HOT 2
- Problem with the download crate v0.6.0 HOT 1
- No way of splitting token into parts
- Version Bump to 0.6.1 HOT 4
- Extracting arbitrary key from jwt header HOT 1
- How to convert JsonWebKey to RSA HOT 1
- Consider relaxing signature of struct TimeOptions HOT 2
- x5t fails to parse depending on semantics used to generate it HOT 3
- unresolved import `jwt_compact::alg::Ed25519` no `Ed25519` in `alg` HOT 1
- no_std build is broken HOT 1
- compact_token for Es256k HOT 2
- jwt-compact does not build with p265 feature on riscv32imac-esp-espidf
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-compact.