6 stable releases
2.1.1 | Aug 20, 2022 |
---|---|
2.1.0 | Aug 6, 2022 |
1.0.4 | Jun 21, 2022 |
#825 in Authentication
24KB
446 lines
Uniauth
Easy-to-use abstraction over authentication.
How it works
- Application tells the server of a requested action (for example, to log in) and asks for a nonce.
- Server issues a nonce which will never be used again.
- Application tells the user's local uniauth daemon to sign a challenge using the nonce, service name and username.
- User authenticates/authorizes the action.
- Daemon signs the challenge and response is sent from the application to the server.
- Server verifies the challenge against the user's key(s).
Server
Servers only store public keys, if/when the server is compromised the attacker cannot do anything with them.
Daemon
Uniauth daemons can do anything, from being completely autonomous to using a hardware authenticator.
Signature Algorithms
The application-daemon protocol supports any algorithm with signatures and keys under 65516 bytes long.
Currently Ed25519 and CRYSTALS-Dilithium3 are supported, Ed25519 has tiny signatures and keys, but Dilithium3 is post-quantum safe.
Dependencies
~3–16MB
~229K SLoC