Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V51 OAuth: Add new OIDC Resource Server verifications #2049

Closed
TobiasAhnoff opened this issue Aug 31, 2024 · 5 comments
Closed

V51 OAuth: Add new OIDC Resource Server verifications #2049

TobiasAhnoff opened this issue Aug 31, 2024 · 5 comments
Assignees
@TobiasAhnoff
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@TobiasAhnoff
Copy link

The following verifications are suggested to be added for the Resource Server to the proposed new OIDC chapter (see #2037).

Resource Server

Verify that only access tokens are used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)
@elarlang elarlang added the V51 Group issues related to OAuth label Aug 31, 2024
@randomstuff
Copy link

Verifying that only access tokens are used for authorization (i.e. when used by a non malicious client) is not the same as verifying that only access tokens are usable for authorization (lack of token type confusion vulnerability). Should this requirement address only the former point or both?

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Sep 2, 2024
@elarlang
Copy link
Collaborator

elarlang commented Sep 2, 2024

Related or duplicate discussion #2005?

@TobiasAhnoff
Copy link
Author

@randomstuff reading this once more I understand the difference in wording and my intention was usable, so I suggest a change to

Verify that only access tokens are usable for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)
or
Verify that only access tokens can be used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)

@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?

@elarlang
Copy link
Collaborator

elarlang commented Sep 9, 2024

@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?

Yes, no duplicates needed. Please carry all comments and information from here to the other one and close this one.

@TobiasAhnoff TobiasAhnoff mentioned this issue Sep 9, 2024
Closed
@elarlang elarlang changed the title V5.1 OAuth: Add new OIDC Resource Server verifications V51 OAuth: Add new OIDC Resource Server verifications Sep 10, 2024
@elarlang elarlang mentioned this issue Sep 13, 2024
Closed
@elarlang
Copy link
Collaborator

Well, let's keep this discussion in #2005 (comment). Closed as duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TobiasAhnoff TobiasAhnoff

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@randomstuff @TobiasAhnoff @tghosth @elarlang