Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypted Payload Envelope #550

Closed
curtisdurrett opened this issue Jan 29, 2016 · 11 comments
Closed

Encrypted Payload Envelope #550

curtisdurrett opened this issue Jan 29, 2016 · 11 comments
Labels
media and encoding Issues regarding media type support and how to encode data (outside of query/path params) Needs author feedback No recent activity The issue has not been updated in 7 days. security: encryption Support for encryption in headers, payloads, etc. security

Comments

@curtisdurrett
Copy link

It doesn't appear that Swagger has a way of describing that the message payload can be placed in an encryption envelop. Is there plans to add that in the future?

Something like this:

{
  "securePayload": {
   "key": "AES public symmetric key",
   "iv": "AES initialization vector",
   "payload": "AES encrypted payload"
  }
}
@webron
Copy link
Member

webron commented Jan 29, 2016

No requests have been made for it so far (as far as I recall). We can definitely consider this for the next version. More details would help with the consideration (never assume everyone knows what you're trying to do 😉).

@fehguy
Copy link
Contributor

fehguy commented Mar 1, 2016

Parent issue #586

@webron
Copy link
Member

webron commented Mar 1, 2016

Potentially this can also go under #585.

@darrelmiller
Copy link
Member

Using the JOSE standards https://tools.ietf.org/html/rfc7516 it is possible to use standard HTTP headers to define all the metadata needed to encrypt payloads. This should be possible to describe with the header parameters and response headers.

@sdatspun2
Copy link

@darrelmiller That (having a header) might work if encryption is for the entire payload. How about inline encryption for part of the payload, say one property in response in encrypted? How should that be represented? If the encrypted property in response schema is annotated somehow to indicate that it is encrypted and packaged according to JOSE, it would help in response processing. Thoughts?

@RobDolinMS
Copy link
Contributor

Is this just handled at the HTTP layer?

@ePaul
Copy link
Contributor

ePaul commented May 29, 2017

@RobDolinMS While HTTP (or rather HTTPS) allow encrypting everything, this is just on the transport layer.

There might be cases where encrypted content needs to be passed on by one of the communication partners (which doesn't even have the key) to/from someone else, maybe together with some non-encrypted metadata.

In this case a wrapper like in the initial post might be useful, with a way to define in OpenAPI both how the unencrypted parts and how the encrypted parts look (after decryption/before encryption).

@MikeRalphson MikeRalphson mentioned this issue Jan 25, 2018
Open
@handrews handrews changed the title Encrypted Payload Envelop Encrypted Payload Envelope Jan 29, 2024
@handrews handrews added the media and encoding Issues regarding media type support and how to encode data (outside of query/path params) label Jan 29, 2024
@handrews handrews added security security: encryption Support for encryption in headers, payloads, etc. and removed OpenAPI.Next Proposal labels Feb 8, 2024
@handrews
Copy link
Member

@sdatspun2 does the JWT representation technique shown in JSON Schema draft 2020-12 address your use case, or do you need something more general?

@curtisdurrett does this need to incorporate technologies outside of the JOSE set of specifications, or can we close this in favor of #1464?

@sdatspun2
Copy link

sdatspun2 commented Apr 22, 2024
edited
Loading

@handrews That question was raised in 2016! I am not sure. If in a payload you have multiple properties that require encryption or signature, how would that work? Is there an example?

@handrews
Copy link
Member

@sdatspun2 I honestly don't know enough about this area to say- there is an example of the JWT representation in that link I've provided. Does it look useful?

@github-actions github-actions bot added the No recent activity The issue has not been updated in 7 days. label May 31, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue has been labeled with No recent activity because there has been no recent activity. It will be closed if no further activity occurs within 28 days. Please re-open this issue or open a new one after this delay if you need to.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
media and encoding Issues regarding media type support and how to encode data (outside of query/path params) Needs author feedback No recent activity The issue has not been updated in 7 days. security: encryption Support for encryption in headers, payloads, etc. security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@webron @fehguy @darrelmiller @ePaul @handrews @RobDolinMS @curtisdurrett @sdatspun2