lastlogin-io / obligator Goto Github PK

https://github.com/DuendeSoftware/IdentityServer

Users need to be able to delete old identities and login history as desired

I have not done much digging into this project yet, but a suggestion I have after reading the readme file is in response to the blurb about sending a unique code to the email. The suggestion is to add a registration flow to confirm ownership of the email like you already are but then also allow linking that email to a FIDO2 token registration via webauthn, which is what passkeys use.

I suggest this because I use a variety of webauthn devices all the time now and I think that method of authenticating is much much better than passwords and is more convenient than clicking on a link sent to your email in my opinion. There are authenticator smartcards (my preference), USB tokens like yubikeys and the opensource derivatives, and of course now google and apple passkeys supported by the trusted platform modules or HSMs on the new phones.

pull access denied for anderspitman/obligator, repository does not exist or may require 'docker login'

Actually testing your interesting software 👍

At the moment it is not possible to use SMTP endpoints which require SSL/TLS encryption for sending mails (e.g. smtp.office365.com) with the docker image. Checked the code and in the struct there are no params for this use case.

It would be nice if this is possible.

Now that we're storing everything in JWTs, state isn't really doing anything, and it's optional https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1

It is a pretty important feature for many within the auth / identity space. The only modern provider that seems to have support and documentation for "impersonation" is GoAuthentik - but I've not run through your full comparison table yet. Is that a feature you wouldn't mind adding to your comparison table?
Thanks!

By far the project most similar to obligator that I've found

Just need to return the requester's domain as the client_id and don't need to store anything

Don't see a good reason not to, and it offers some defense in depth. At least random apps on the user's machine won't be able to snoop all their logins

Should be safe as long as we don't have an open redirector

Currently the API is only offered through unix sockets. This reduces the chance that it accidentally gets exposed, which is important because it's not authenticated in any way.

Would you be open to embedding zero trust directly into the project via OpenZiti? OpenZiti allows you to have secure connectivity to the server from anywhere, via a zero trust overlay.

If that sounds interesting, I'd be happy to contribute a patch and if you're into it, demo it over on our YouTube channel too?

Currently using obligator_ as a prefix for all cookies. This should be controllable by the user as it is for the login key cookie

• Redirect to original instance when clustered
• Expire codes after a brief time