HackerTrans
トップ新着トレンドコメント過去質問紹介求人

spiffe

no profile record

コメント

spiffe
·5 か月前·議論
Thanks, but I'm likely going to tune out.

None of the 3 points address the fundamental issue. IMO, it appears you are trying to reinvent a tiny part of OAuth2 w/ DCR, but without any of the security or trust underpinnings. I'd encourage you to consider simply using OAuth2 w/ DCR for your agent app instead.
spiffe
·5 か月前·議論
One does not need to break any endpoint or look for things in transit. Any app that calls an agent within your design receives the jwt, and can turn around and masquerade as the agent.
spiffe
·5 か月前·議論
Sorry, but to call a spade a spade, but this is a convoluted mess of faux-security without actually solving your problem statement.

Faux-security because there is no security - anyone that steals the jwt can impersonate the agent for the lifetime of the jwt - 60 minutes is an eternity.

Your solution does nothing to get to the bottom turtle, or most of the intermediate turtles.