oauth

Asking about this since the NSA recently published guidance advising the public and private sectors to transition to cryptographic algorithms that are no less than sha384 & ec384 (elliptic curves).

While Edwards' Curves are different, its worth noting that prior to this update sha256 & secp256k1 were both on the list of acceptable cryptographic algorithms. My deduction was that 128-bit securit

Description 🐜

If you only have a Credentials provider, you now are unable to get a CSRF token:

[next-auth][error][CALLBACK_CREDENTIALS_JWT_ERROR] 
https://next-auth.js.org/errors#callback_credentials_jwt_error Signin in with credentials only supported if JWT strategy is enabled UnsupportedStrategy [UnsupportedStrategyError]: Signin in with credentials only supported if JWT strategy is 

When trying to run tailscaled in a FreeBSD jail, it produces this error:

# tailscaled
logtail started
Program starting: v1.10.0, Go 1.16.7: []string{"tailscaled"}
LogID: 2a3b18aa8ca610c035fa561e92de5aa2113e31ea008a574d5e7a89a3690d212e
logpolicy: using system state directory "/var/db/tailscale"
creating link monitor: devd dial error: dial unixpacket /var/run/devd.seqpacket.pipe: conn

Is your feature request related to a problem? Please describe.

The public key-based request signing functionality added to sso_proxy in buzzfeed/sso#106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.

Describe the solution you'd like

New documenta

This will allow users to set up API mgmt for provisioners, and unblock users in environments where the ca.json is not easily accessible.

The --enable-admin flag would create the first provisioner and admin (this code already exists, just behind a boolean).
The --acme flag would create an ACME provisioner.

Related: smallstep/certificates#737