Details
-
Task
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.9.0 FF
-
None
-
All
-
25
-
Foundation PM Staging
Description
QTBUG-124334 adds support into QtNetworkAuth module to acquire OpenID Connect ID Tokens. These tokens are in more generic JSON Web Token / JWT format. In OpenID Connect use cases, these tokens must always be additionally signed with JSON Web Signature / JWS. Furthermore these tokens may additionally be encrypted and enclosed within a JSON Web Encryption / JWE.
OpenID Connect model makes it mandatory for a client to verify the token it has received. The 'client' in Qt use cases is the client application (which in itself can be also a server, but for the purposes of OIDC, it is still a client).
Verifying the token can be split roughly in parts:
0) Decrypting the JWE if needed
1) Verifying that the signature is valid
2) Verifying applicable payload fields of the token (such as 'issuer', 'audience' and 'nonce')
There are several open source libraries for doing the verification part, as listed here. By a quick look at the C++ libraries, they have a dependency on openSSL.
For Qt to wrap such a library, or to develop its own similar library, we most likely want to use an external library such as openSSL as well.
This task is about researching the viable options for that library, as making an openSSL dependency may not be feasible, or at least not ideal on all Qt platforms.
For example: can we use the native libraries on macOS and Windows, and openSSL on Linux? And furthermore, should Qt have an (internal) API for such cryptographic common operations?
Attachments
Issue Links
- is required for
-
-
- Reported
-