mirror of
https://github.com/nitnelave/lldap.git
synced 2023-04-12 14:25:13 +00:00
docs: update architecture doc
This commit is contained in:
parent
90611aefef
commit
4537d1ae2b
@ -6,7 +6,8 @@ backend and [yew](https://yew.rs) for the frontend.
|
|||||||
Backend:
|
Backend:
|
||||||
* Listens on a port for LDAP protocol.
|
* Listens on a port for LDAP protocol.
|
||||||
* Only a small, read-only subset of the LDAP protocol is supported.
|
* Only a small, read-only subset of the LDAP protocol is supported.
|
||||||
* An extension to allow resetting the password through LDAP will be added.
|
* In addition to that, an extension to allow resetting the password is also
|
||||||
|
supported.
|
||||||
* Listens on another port for HTTP traffic.
|
* Listens on another port for HTTP traffic.
|
||||||
* The authentication API, based on JWTs, is under "/auth".
|
* The authentication API, based on JWTs, is under "/auth".
|
||||||
* The user management API is a GraphQL API under "/api/graphql". The schema
|
* The user management API is a GraphQL API under "/api/graphql". The schema
|
||||||
@ -46,11 +47,6 @@ Data storage:
|
|||||||
|
|
||||||
### Passwords
|
### Passwords
|
||||||
|
|
||||||
Passwords are hashed using Argon2, the state of the art in terms of password
|
|
||||||
storage. They are hashed using a secret provided in the configuration (which
|
|
||||||
can be given as environment variable or command line argument as well): this
|
|
||||||
should be kept secret and shouldn't change (it would invalidate all passwords).
|
|
||||||
|
|
||||||
Authentication is done via the OPAQUE protocol, meaning that the passwords are
|
Authentication is done via the OPAQUE protocol, meaning that the passwords are
|
||||||
never sent to the server, but instead the client proves that they know the
|
never sent to the server, but instead the client proves that they know the
|
||||||
correct password (zero-knowledge proof). This is likely overkill, especially
|
correct password (zero-knowledge proof). This is likely overkill, especially
|
||||||
@ -59,6 +55,15 @@ but it's one less potential flaw (especially since the LDAP interface can be
|
|||||||
restricted to an internal docker-only network while the web app is exposed to
|
restricted to an internal docker-only network while the web app is exposed to
|
||||||
the Internet).
|
the Internet).
|
||||||
|
|
||||||
|
OPAQUE's "passwords" (user-specific blobs of data that can only be used in a
|
||||||
|
zero-knowledge proof that the password is correct) are hashed using Argon2, the
|
||||||
|
state of the art in terms of password storage. They are hashed using a secret
|
||||||
|
provided in the configuration (which can be given as environment variable or
|
||||||
|
command line argument as well): this should be kept secret and shouldn't change
|
||||||
|
(it would invalidate all passwords). Note that even if it was compromised, the
|
||||||
|
attacker wouldn't be able to decrypt the passwords without running an expensive
|
||||||
|
brute-force search independently for each password.
|
||||||
|
|
||||||
### JWTs and refresh tokens
|
### JWTs and refresh tokens
|
||||||
|
|
||||||
When logging in for the first time, users are provided with a refresh token
|
When logging in for the first time, users are provided with a refresh token
|
||||||
|
Loading…
Reference in New Issue
Block a user