Consider using certified OpenID library
Closed this issue · 2 comments
Currently, this library relies on the @passport-next/passport-openid(which hasn't been updated in 5 years) package, the package mentioned depends on the openid library on NPM, this package however is not certified by OpenID. Not relying on a certified library by OpenID might lead to security vulnerabilities; I strongly recommend that this library moves to a certified package or make upstream changes to minimize the risk. The certified packages are listed on their website: https://openid.net/certified-open-id-developer-tools/. As an example, they list the following:
- openid-client is a Relying Party(RP) implementation for node.js servers. Wide feature coverage including optional specifications such as ID Token and UserInfo claim encryption support, JWT Client Authz and more make it the go to library for node.js clients. Passport.js strategy is included.
- Target Environment: JavaScript for node.js
- License: MIT
- Certified By: Filip Skokan
- Conformance Profiles: Basic RP, Implicit RP, Hybrid RP, Config RP, Dynamic RP, Form Post RP
@Officialstrike This library is honestly not actively maintained by anyone, I'm happy to review and merge any contributions for the sake of this library, especially if they're security related, but I don't have permissions to bring in new people either
I also think given the state of the current library, maintainer contributions, lack of upstream support on current versions requiring a complete rewrite and thus a new major version; the best course of action is promote a successor to this library and officially mark this library as deprecated and only issuing security updates for a limited period of time.
From my current search I do not see another Steam Passport implementations, utilizing any newer libraries or standards that could be a spiritual successor.