Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Asymmetric Tokens and server issuing challenges #11521

Open
Tracked by #10519
Eh2406 opened this issue Dec 29, 2022 · 0 comments
Open
Tracked by #10519

Asymmetric Tokens and server issuing challenges #11521

Eh2406 opened this issue Dec 29, 2022 · 0 comments
Assignees
@weihanglo
Labels
A-registry-authentication Area: registry authentication and authorization (authn authz) S-triage Status: This issue is waiting on initial triage. Z-asymmetric-token Nightly: asymmetric-token authentication

Comments

@Eh2406
Copy link
Contributor

Eh2406 commented Dec 29, 2022

The 3231 RFC describes that servers can issue a one time challenge to better protect against token reuse. This was not implemented in #10771 and should be implement it before stabilization.
@Eh2406 Eh2406 added the A-registry-authentication Area: registry authentication and authorization (authn authz) label Dec 29, 2022
@ehuss ehuss added the Z-asymmetric-token Nightly: asymmetric-token authentication label Jan 3, 2023
@weihanglo weihanglo mentioned this issue Jun 19, 2023
Open
7 tasks
@weihanglo weihanglo self-assigned this Jun 20, 2023
@weihanglo weihanglo mentioned this issue Jun 25, 2023
Merged
bors added a commit that referenced this issue Jul 20, 2023
@bors
Auto merge of #12310 - weihanglo:asymmetric-challenge, r=Eh2406
b40be8b 
feat(crates-io): expose HTTP headers and Error type

### What does this PR try to resolve?

This is part of #11521.

[RFC 3231] mentions the authentication process could have an additional **challenge-response mechanism** to prevent potential replay attacks. The challenge usually comes from HTTP `www-authenticate` header as a opaque string. When a client gets a 401/403 response with such a challenge, it may attach the `challenge` to the payload and request again to anwser the challenge.

```
➡️ cargo  requests
⬅️ server responds with `www-authenticate` containing some opaque challenge string
➡️ cargo  automatically requests again without any user perception
⬅️ server responds ok
```

However, `crates-io` crate doesn't expose HTTP headers. There is no access to `www-authenticate` header.

This PR make it expose HTTP headers and the custom `Error` type, so `cargo` can access and do further on the authentication process.

[RFC 3231]: https://rust-lang.github.io/rfcs/3231-cargo-asymmetric-tokens.html#the-authentication-process
@epage epage added the S-triage Status: This issue is waiting on initial triage. label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weihanglo weihanglo

Labels
A-registry-authentication Area: registry authentication and authorization (authn authz) S-triage Status: This issue is waiting on initial triage. Z-asymmetric-token Nightly: asymmetric-token authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ehuss @epage @Eh2406 @weihanglo