Add optional support for signing authentication replies
- The client should send a challenge to the OTPme server that will be signed with its public key
- This reduces the code where authentication related bugs may lead to false positives
- Using JWT for this feature will allow us to re-use it for web authentication in later versions (https://en.wikipedia.org/wiki/JSON_Web_Token)
#1 Updated by The 2nd over 6 years ago
- % Done changed from 40 to 50
- Current implementation sends a challenge with the authentication request which is added to a JWT signed with the public key of the "site certificate" and send back in the authentication reply. This is used e.g. when logging in via OTPme PAM module.