Comments (6)
A confidential Implicit Flow grant is fine to use if only the id_token is returned and no access tokens are used/allowed in this flow.
This is sometimes required.
I suggest maybe changing the text in proposal 1 a bit?
Hi @damienbod , I understand the comment is on "proposal 1". We have a separate issue for this opened now - #1970
Please share your argument there :)
from asvs.
Thank you for your input, I do first quick feedback round:
proposal 1
I opened a separate issue, with a point of view that we just need to accept PKCE: #1970
proposal 2
Is it already covered by the issue #1826, and if not, what is the difference?
proposal 3
We have #1965 for this opened now.
proposal 4
I think we have requirement 51.2.2 to cover it.
If you have a proposal, how to improve it, please open a separate issue for that.
If you would like to touch the topic from a different angle (as having a new separate requirement), then what could it be?
proposal 5
Is it OIDC specific or is it general JWT validation (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1)?
V3.5.6 Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.
For mentioned requirement, we also have a opened issue: #1967
from asvs.
Thank you for your input, I do first quick feedback round:
proposal 1
I opened a separate issue, with a point of view that we just need to accept PKCE: #1970
Sounds good let's continue the discussion in #1970. Please see my latest comments.
proposal 2
Is it already covered by the issue #1826, and if not, what is the difference?
It's covered. Let's keep the discussion going in #1826. Part of these proposals is pointing out what is OIDC-specific, in case we want to have a separate section for that in V51. I also wanted to make sure this issue is still considered as it seems to be an important requirement.
proposal 3
We have #1965 for this opened now.
👍
proposal 4
I think we have requirement 51.2.2 to cover it.
If you have a proposal, how to improve it, please open a separate issue for that.
If you would like to touch the topic from a different angle (as having a new separate requirement), then what could it be?
For 51.2.2 it might be best if I open a separate issue. I think this requirement has too much going on, as it states that we need to only use PKCE (see comments in #1970), and it also talks about using nonce when not using PKCE. PKCE or more specifically Authorization Code flow with PKCE can be used for both OAuth and OIDC, whereas the nonce is specific to OIDC. So the more I think about it the more it makes sense to have a separate section for OIDC, to avoid confusion. One way to start with that is to move or break out any requirements that involve the ID token. What do you think about that?
proposal 5
Is it OIDC specific or is it general JWT validation (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1)?
V3.5.6 Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.
For mentioned requirement, we also have a opened issue: #1967
This requirement I mention is specific to OpenID Provider Issuer Discovery. See here: https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery. This requirement ensures that the issuer URL used to perform the OpenID Provider configuration request for the configuration document at /.well-known/openid-configuration
, is the same as the issuer URL (claim) in the document itself, and that the same issuer URL is validated against the one in the ID token.
For example, here is one of Google's: https://accounts.google.com/.well-known/openid-configuration?callback=angular.callbacks._0. To perform issuer Discovery, you would make a GET request to retrieve this document, ensuring that the issuer claim matches https://accounts.google.com
. Subsequent ID tokens issued from the token endpoint should have iss
match https://accounts.google.com
as well.
from asvs.
Agree with
- to open separate issue for proposal 4
- to make separate section for OIDC (it was basically agreed long time ago somewhere else), just let's get first requirement(s) in
- ack, it makes sense to open separate issue for proposal 5 as well
If separate issues are opened, we can close this issue.
For requirements - first let's have proposal in the issue, and if it finds agreement, then it's time for PR.
from asvs.
A confidential Implicit Flow grant is fine to use if only the id_token is returned and no access tokens are used/allowed in this flow.
This is sometimes required.
I suggest maybe changing the text in proposal 1 a bit?
from asvs.
I politely disagree with the comment below. See #1970 (comment)
A confidential Implicit Flow grant is fine to use if only the id_token is returned and no access tokens are used/allowed in this flow.
This is sometimes required.
I suggest maybe changing the text in proposal 1 a bit?
from asvs.
Related Issues (20)
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) HOT 4
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 4
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 8
- discussion: OAuth - using OAuth just for authentication HOT 7
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 8
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- discussion OAuth/OIDC: accepted flows and grants HOT 7
- 4.3.1 and 4.3.3 HOT 7
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
- cloud config scanning HOT 1
- Link checker is temperamental and apparently deprecated HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.