V51 OAuth: Add new OIDC generic verifications

[TobiasAhnoff]

The following verifications are suggested to be added to the proposed new OIDC chapter (see #2037).

Generic OIDC security

Verify that ID Tokens are only sent to the client where the user initiated the authorization request. (L1,L2,L3)

Verify that if the ID Token is sent to the front channel or a public client they should be encrypted or not contain any sensitive user data. (L1,L2,L3)

[randomstuff]

Verify that ID Tokens are only sent to the client where the user initiated the authorization request. (L1,L2,L3)

I am somewhat wondering what this means because:

• the decisions to send ID tokens is taken by the identity provider;
• but the identity provider cannot really know if the user actually initiated the authorization request;
• so the responsibility here is actually distributed between both the requesting party/client and the identity provider.

Moreover, is this forbidding the case when all the OpenID connect dance is happening transparently behind the scene:

1. the user goes to https://client.example/
2. the user is automatically and transparently redirected to https://idp.example/auth?...
3. the identity provider finds that the user already has a session on the IdP and has already consented to connect to this application and automatically redirects the user back to the client application.

The customer usually wants all the OIDC to happen behind the scene as long as possible in order to have its user get the job done.

[TobiasAhnoff]

The intention with

Verify that ID Tokens are only sent to the client where the user initiated the authorization request.

was basically the same as the discussions in #2049 and #2005, that ID tokens are used as an authentication response, not passed around like an access-token, I see now that that wasn´t clear...this might capture it better?

Verify that ID Tokens are only valid as an user authentication response for the client where the user initiated the OIDC authorization request (not as an access token sent to resource servers)

[elarlang]

Verify that ID Tokens are only sent to the client where the user initiated the authorization request.

Was it duplicate to #2049 / #2005 or was the actual goal: Verify that ID-token is not sent to the Client by default / without need to have ID-token

Verify that if the ID Token is sent to the front channel or a public client they should be encrypted or not contain any sensitive user data.

One may mixed signed and encrypted here for JWT's.

We just had discussion over this in #2029 without reaching anywhere.

and I keep the topic in #1919

[TobiasAhnoff]

Verify that ID Tokens are only sent to the client where the user initiated the authorization request. (L1,L2,L3)

This is duplicated by #2005

[TobiasAhnoff]

Verify that if the ID Token is sent to the front channel or a public client they should be encrypted or not contain any sensitive user data.

This should be included in #1919, so this can be closed as a duplicate.

[elarlang]

Ok, I close this as duplicate.