biscuit-auth/biscuit
1
1
Fork 0
mirror of https://github.com/biscuit-auth/biscuit.git synced 2024-10-26 06:40:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

add a warning for hash generation with similar data

Browse Source
This commit is contained in:
Geoffroy Couprie 2021-02-26 11:31:01 +01:00
parent 236f50ffab
commit 47c6051467
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
SUMMARY.md
View File

@ -226,6 +226,12 @@ To check revocation status, we can either:
- query the list of revocation tokens: `revocation($index, $id) <- revocation_id($index, $id)` then verify their presence in a revocation list
- load a policy with the list of revoked tokens: `deny if revocation_id($index, $id), [ hex:1234..., hex:4567...].contains($id)`
The hashes are generated from the serialized blocks and the corresponding keys,
so if you generate multiple tokens with the same root key and same authority
block, they will have the same revocation identifier. To avoid that, you can
add unique data to the block, like a random value, a UUID identifying that
token chain, a date, etc.
# Example tokens
Let's make an example, from an S3-like application, on which we can store and