JWT authentication Usage #3790

prakashngit · 2022-04-25T19:20:05Z

prakashngit
Apr 25, 2022

Dear Team CCF,

Is there a way to specify the redirect URI to be an end point inside that CCF app itself while using openid connect implicit flow for JWT authentication? As of now, my understanding is that for the CCF app to be able to authenticate the CCF user via implicit flow, there needs to be a openid connect CLIENT that is separately set up (or the CCF user itself could play this role), and pass the JWT token that it gets to the CCF app to validate the user. Given that this flow is a departure from the implicit flow, I am not sure of how to analyze the security.
A related question: Is there a plan to permit a CCF app to make an ocall that would allow the app to make an http/https request to a third party service?

Thanks
Prakash

Answered by achamayou

Sounds like something you could try, but not something we have seen done before. The flow that's typically been used is that a JWT is passed in (in a header) by the client, and validated against one of the JWT keys polled at an interval by auto-refresh (https://microsoft.github.io/CCF/main/build_apps/auth/jwt.html).
There isn't a plan for that right now, and it probably would require something more than just making an ocall, because that would block request handling on the thread.

achamayou · 2022-04-27T18:44:04Z

Sounds like something you could try, but not something we have seen done before. The flow that's typically been used is that a JWT is passed in (in a header) by the client, and validated against one of the JWT keys polled at an interval by auto-refresh (https://microsoft.github.io/CCF/main/build_apps/auth/jwt.html).
There isn't a plan for that right now, and it probably would require something more than just making an ocall, because that would block request handling on the thread.

1 reply

@achamayou Thank you very much for the answers. On 1. We will give it a try and let you know if we make progress. Thanks!