HackerTrans
TopNewTrendsCommentsPastAskShowJobs

spiffe

no profile record

comments

spiffe
·5 個月前·discuss
Thanks, but I'm likely going to tune out.

None of the 3 points address the fundamental issue. IMO, it appears you are trying to reinvent a tiny part of OAuth2 w/ DCR, but without any of the security or trust underpinnings. I'd encourage you to consider simply using OAuth2 w/ DCR for your agent app instead.
spiffe
·5 個月前·discuss
One does not need to break any endpoint or look for things in transit. Any app that calls an agent within your design receives the jwt, and can turn around and masquerade as the agent.
spiffe
·5 個月前·discuss
Sorry, but to call a spade a spade, but this is a convoluted mess of faux-security without actually solving your problem statement.

Faux-security because there is no security - anyone that steals the jwt can impersonate the agent for the lifetime of the jwt - 60 minutes is an eternity.

Your solution does nothing to get to the bottom turtle, or most of the intermediate turtles.