Description
A useful enhancement to OPA would be builtin functions enabling support for JOSE.
The use case is simply providing a means for a non-secure application to provide secret input to OPA. As a configuration data format, JSON dovetails quite nicely with OPA and rego, enabling support for encrypted tokens provides a system with some guarantees regarding non-repudiation, confidentiality, and integrity.
From an API perspective, something similar to the current io,jwt.decode.verify() builtin might work well. From a user perspective, access to the jwt components after successful decrypt/verification should be sufficient. Since this is a security issue, direct control (within the api?) on whether detected errors are written to logs would be desirable.
Suggested supported algorithms include:
- A256KW
- A256GCMKW
- RSA-OAEP-256
would be a good start.