Compression + encryption is potentially a very tricky thing to get right. Handling these operations incorrectly, or not considering them further at all, can lead to encrypted ciphertext being vulnerable to the BREACH and/or CRIME attacks.

polyproto-core does deal with encryption somewhat, and polyproto-mls most definitely will. It must be figured out how to proceed with these things in mind.

This nix-based CI does not yet have attic configured for it. As such, it doesn't benefit from any sort of additional caching.

am working on it, typespec hardd,

Acquire and validate OAuth2 opaque tokens

Needs more info: API unclear @cyrneko

Parse OAuth2 JWTs (ID tokens and auth tokens) and validate them securely

https://polyproto.org/docs/protocols/core/#412-oidc-scopes

there is already a PR for this PAW: #45

Blocked by https://codeberg.org/polyphony/polyproto-rs/issues/108

• OIDC Scopes
• JWT Parsing & Validating
• Opaque Token Validation
• Login on OIDC IdP: Basic
• SCIM Server Primitives
• Login on OIDC IdP: Full Login to ID-Cert Flow

Remove the need for a bespoke polyproto-auth protocol extension by mandating OIDC (OpenID Connect) for authentication and SCIM (System for Cross-domain Identity Management) for account lifecycle management on a polyproto home server.

polyproto-auth was going to be a separate spec that reinvented a large amount of wheel-shapes. OIDC and SCIM are pre-existing, common, popular, tried and battle-tested specifications which achieve what polyproto-auth set out to do and more. Additionally, adopting a pre-existing protocol means that implementers don't have to write an auth server themselves, and deployers can integrate with their pre-existing auth+identity management solutions.

These additions to the protocol describe the precise usage of OIDC and SCIM in polyproto. Reading these additions should give implementers a good idea about how OIDC, SCIM and polyproto work together.

Blocking concerns

Below is a list of items needing to be addressed with an indicator of how difficult those items are expected to be (5=most difficult, 1=easiest)

• Missing flow from OIDC auth to ID-Cert + session (3.5/5): Closed by #104
• Sensitive actions + OIDC needs resolving (4/5): Closed by #104
• Bot/automated client auth is a stub (1.5/5)
• HSAT token revocation (backchannel logout?) (2/5)
• SCIM deprovisioning flow undefined (2.5/5)
• ID-Cert renewal lifecycle details undefined (1/5)
• SCIM schema requirements undefined (1.5/5)
• Further explain purpose of SCIM on service providers (1/5)
• Migration under OIDC unaddressed (2/5)