HackerTrans
热门最新趋势评论往期问答秀出招聘

spiffe

no profile record

评论

spiffe
·5个月前·讨论
Thanks, but I'm likely going to tune out.

None of the 3 points address the fundamental issue. IMO, it appears you are trying to reinvent a tiny part of OAuth2 w/ DCR, but without any of the security or trust underpinnings. I'd encourage you to consider simply using OAuth2 w/ DCR for your agent app instead.
spiffe
·5个月前·讨论
One does not need to break any endpoint or look for things in transit. Any app that calls an agent within your design receives the jwt, and can turn around and masquerade as the agent.
spiffe
·5个月前·讨论
Sorry, but to call a spade a spade, but this is a convoluted mess of faux-security without actually solving your problem statement.

Faux-security because there is no security - anyone that steals the jwt can impersonate the agent for the lifetime of the jwt - 60 minutes is an eternity.

Your solution does nothing to get to the bottom turtle, or most of the intermediate turtles.