Thoughts on NIP-98 HTTP Auth proposal:
It's interesting reading this proposal, coming from some slight use of JWTs with shared secrets on servers.
JWTs typically have an auth provider authenticating a user and also validating "claims" (authorization roles).
The JWT is passed in the Authorization Bearer _ HTTP header along with the actual resource request.
The server can then validate identity and claims via symmetrical shared secret, or alternatively via jwk_url for asymmetric auth.
Clearly for Nostr we want to auth users asymmetrically. It is technically possible for Nostr clients to generate their own JWT for id. To validate permissions to a resource, an organization would have to run their own auth service, use Nostr to validate id, but add claims to the JWT.
Wrapping the auth+httprequest in a Nostr event adds extra overhead. Clearly it works, but figuring out auth via the existing JWT methods will allow for more services to use Nostr auth without customization.
https://github.com/nostr-protocol/nips/pull/469
nohea /
npub1xrd…06py
2023-04-27 22:08:51
Author Public Key
npub1xrdrsrgh20kegz2pjt79rrtk40r24c9n9jkmz2nxzk9p0e87r7ls6q06pySeen on
wss://relay.noswhere.comPublished at
2023-04-27 22:08:51Event JSON
{
"id": "a38b84953f184e4b2a05d4328df578ee1d5db0dd656e983b81e3b95d71af2343",
"pubkey": "30da380d1753ed94094192fc518d76abc6aae0b32cadb12a66158a17e4fe1fbf",
"created_at": 1682626131,
"kind": 1,
"tags": [
[
"r",
"https://github.com/nostr-protocol/nips/pull/469"
]
],
"content": "Thoughts on NIP-98 HTTP Auth proposal:\n\nIt's interesting reading this proposal, coming from some slight use of JWTs with shared secrets on servers. \nJWTs typically have an auth provider authenticating a user and also validating \"claims\" (authorization roles). \nThe JWT is passed in the Authorization Bearer _ HTTP header along with the actual resource request. \nThe server can then validate identity and claims via symmetrical shared secret, or alternatively via jwk_url for asymmetric auth.\n\nClearly for Nostr we want to auth users asymmetrically. It is technically possible for Nostr clients to generate their own JWT for id. To validate permissions to a resource, an organization would have to run their own auth service, use Nostr to validate id, but add claims to the JWT. \n\nWrapping the auth+httprequest in a Nostr event adds extra overhead. Clearly it works, but figuring out auth via the existing JWT methods will allow for more services to use Nostr auth without customization.\n\nhttps://github.com/nostr-protocol/nips/pull/469",
"sig": "6b61deb0970dcd06da2e40156a41e6469452a38cf23d4d3cf3b245c61da902d1bb681ccb286e34a3d4e80f6f71595009275eac68b02735249eabd099c1fbd0ef"
}