public
/
punchin
5
0
Fork 0
Code Issues 7 Pull Requests 1 Packages Projects Releases Wiki Activity

Credentials Standards #3

New Issue
Open
opened 2024-12-06 02:51:27 +00:00 by ryan · 1 comment
ryan commented 2024-12-06 02:51:27 +00:00
Owner
Copy Link

All forms of authentication with third party services (such as a Git forge, an IMAP server, etc.) should require the creation of OAuth clients or otherwise scope-limited tools to ensure the management of resources does not extend beyond what PunchIn requires. For example, a PunchIn configuration intended to work specifically with Icepick should only have write access to issues against the Icepick repository. This can likely be done by creating an OAuth client for Forgejo and requesting permission limited to the repository, but this implementation may require some form of webserver for OAuth callbacks.

In addition, credentials should be managed using some form of credential handler that does not expose the credentials in plaintext, ideally using some wrapper that wraps authentication tokens in OpenPGP encrypted blobs and decrypts them on-demand using GPG-Agent w/ Split GPG or some other OpenPGP Card backend..

All forms of authentication with third party services (such as a Git forge, an IMAP server, etc.) should require the creation of OAuth clients or otherwise scope-limited tools to ensure the management of resources does not extend beyond what PunchIn requires. For example, a PunchIn configuration intended to work specifically with Icepick should only have write access to issues against the Icepick repository. This can likely be done by creating an OAuth client for Forgejo and requesting permission limited to the repository, but this implementation may require some form of webserver for OAuth callbacks. In addition, credentials should be managed using some form of credential handler that does not expose the credentials in plaintext, ideally using some wrapper that wraps authentication tokens in OpenPGP encrypted blobs and decrypts them on-demand using GPG-Agent w/ Split GPG or some other OpenPGP Card backend..
ryan commented 2024-12-06 02:55:11 +00:00
Author
Owner
Copy Link

OAuth is not a strict requirement if a Forgejo credential can be created with a limited issue scope.

OAuth is not a strict requirement if a Forgejo credential can be created with a limited issue scope.
ryan added this to the Version 1.0 milestone 2024-12-06 21:33:07 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
data-driven
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Version 1.0
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/punchin#3
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?