Skip to content

Encryption support #1131

Open
Open
@pwmorreale

Description

@pwmorreale

A useful enhancement to OPA would be builtin functions enabling support for JOSE.

The use case is simply providing a means for a non-secure application to provide secret input to OPA. As a configuration data format, JSON dovetails quite nicely with OPA and rego, enabling support for encrypted tokens provides a system with some guarantees regarding non-repudiation, confidentiality, and integrity.

From an API perspective, something similar to the current io,jwt.decode.verify() builtin might work well. From a user perspective, access to the jwt components after successful decrypt/verification should be sufficient. Since this is a security issue, direct control (within the api?) on whether detected errors are written to logs would be desirable.

Suggested supported algorithms include:

  • A256KW
  • A256GCMKW
  • RSA-OAEP-256
    would be a good start.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions