oauth

Asking about this since the NSA recently published guidance advising the public and private sectors to transition to cryptographic algorithms that are no less than sha384 & ec384 (elliptic curves).

While Edwards' Curves are different, its worth noting that prior to this update sha256 & secp256k1 were both on the list of acceptable cryptographic algorithms. My deduction was that 128-bit securit

Description 🐜

With the removal of clientMaxAge and keepAlive in favor of refetchInterval, every time a tab is switched, the session gets revalidated, thus updating a session state in SessionProvider which then causes to rerender all components using useSession.

Is it possible to disable this "revalidation" upon window refocusing?
Thanks in advance.

Is this a bug in your own

On Windows, if the authentication flow isn't completed (failure, closed the browser, etc.) then the client keeps showing 'connecting' but doesn't show a clear action to restart authentication.

Clicking disconnect + connect, or log in as a different user will generate a new authentication link and unblock the user, but that's somewhat difficult to discover.

Options for improvement include adding

Is your feature request related to a problem? Please describe.

The public key-based request signing functionality added to sso_proxy in buzzfeed/sso#106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.

Describe the solution you'd like

New documenta

This will allow users to set up API mgmt for provisioners, and unblock users in environments where the ca.json is not easily accessible.

The --enable-admin flag would create the first provisioner and admin (this code already exists, just behind a boolean).
The --acme flag would create an ACME provisioner.

Related: smallstep/certificates#737