1

I am building a service in go that acts as a public api endpoint. Some of the calls that I make require a user to be authenticated. I am currently working with keycloak as my auth provider, and following the example in this question as to how to communicate between my endpoint and keycloak (though I think this question would apply to any oidc provider). The answer to that question uses "somestate" as the state, and from the reading I have done, it is undesirable to use a static state, or a plain text state. Given that the service may be scaled eventually, I would also prefer to not require storage of some form, either in memory or database.

How do I use the request that I originally received to generate a unique state that I can then decode after the redirect, and validate in a possibly different service?

I assume that I would encrypt something and put that in the state, but I am not sure what to encrypt, and not sure how to encrypt it properly.

deef0000dragon1
  • 357
  • 4
  • 17
  • If you're using oidc, then your client can authenticate with keycloak, get a jwt, and pass that jwt to your api. At that point, all you need to know is the keycloak server's public key to validate that jwt. What makes you think you need a unique state? – Burak Serdar Jan 25 '20 at 17:57
  • You can use anything you could validate stateless. I'd suggest something like timestamp with its hmac (hash + secret), maybe if you want to use some out-of-box libraries, you could use a simple jwt (just with timestamp and hmac) – gusto2 Jan 25 '20 at 21:49

0 Answers0