-
-
Notifications
You must be signed in to change notification settings - Fork 665
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 OAuth: Add new OIDC generic verifications #2046
Comments
I am somewhat wondering what this means because:
Moreover, is this forbidding the case when all the OpenID connect dance is happening transparently behind the scene:
The customer usually wants all the OIDC to happen behind the scene as long as possible in order to have its user get the job done. |
The intention with
was basically the same as the discussions in #2049 and #2005, that ID tokens are used as an authentication response, not passed around like an access-token, I see now that that wasn´t clear...this might capture it better?
|
Was it duplicate to #2049 / #2005 or was the actual goal: Verify that ID-token is not sent to the Client by default / without need to have ID-token
One may mixed signed and encrypted here for JWT's. We just had discussion over this in #2029 without reaching anywhere. and I keep the topic in #1919 |
This is duplicated by #2005 |
This should be included in #1919, so this can be closed as a duplicate. |
Ok, I close this as duplicate. |
The following verifications are suggested to be added to the proposed new OIDC chapter (see #2037).
Generic OIDC security
Verify that ID Tokens are only sent to the client where the user initiated the authorization request. (L1,L2,L3)
Verify that if the ID Token is sent to the front channel or a public client they should be encrypted or not contain any sensitive user data. (L1,L2,L3)
The text was updated successfully, but these errors were encountered: