goat: Create service auth token via locally-held signing key #1122
Conversation
|
I've tested this now (as part of a migration) so can confidently say that it works at least Very much open to suggestions on renaming things or moving the subcommand to a different category, but I thought this made the most sense. |
| }, | ||
| &cli.IntFlag{ | ||
| Name: "duration-sec", | ||
| Value: 60, |
There was a problem hiding this comment.
My intuition is to bump this up to something between 120 to 300 seconds for folks doing this manually/locally? Though I guess this is basically the same with service-auth (fetched from PDS, but output locally) and consistency is good. And too-long a duration might be rejected by the audience. I'd probably bump to 120 but also fine leaving as-is, up to you.
There was a problem hiding this comment.
Do you think it's likely for a too-long duration to be rejected by the audience outright, or just treated as if it were a shorter one?
I think I'll leave this as-is since it's nice to have a "safer" default (and enforces the convention that service auth tokens are intended to be short-lived in general), but in my writeup I set the duration to 3600
| durSec := cctx.Int("duration-sec") | ||
| duration := time.Duration(durSec * int(time.Second)) | ||
|
|
||
| token, err := auth.SignServiceAuth(iss, aud, duration, lxm, privkey) |
There was a problem hiding this comment.
yay, glad you found this and that it can be used here!
This is needed as part of the "adversarial PDS migration" flow, because the existing
goat account service-authcommand requires the origin PDS to create the token.