-
-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 OAuth: Add new OIDC Client verifications #2048
Comments
FWIW, Keycloak, for example, currently sends ID token which are valid for 5 minutes by default. 1 minute might be a little bit drastic. While I agree that ID tokens are expected to be short-lived, adding this verification might lead to broken OIDC communications. What is the intend of this verification in the client? If the goal is to avoid ID token reuse, would it be better to request a fresh enough OIDC in the client (using the |
Wordsmithing needed, but the style and direction should be:
The requirement expects client id to be unique, so that also sets one general requirement as pre-conditon:
Discussion for this should be carried here: #2043 (comment) What problem we need to solve with short id-token lifetime? From where comes proposal for 1minute (is it backed up somewhere in RFC or OIDC spec)
In case it is meant to be against replay attacks, then maybe
We have duplicate discussion over this in #2002 |
@randomstuff I agree on 5 min (not 1) e g Duende and Curity Identity Server also has 5 min as default for ID tokens. |
For documenting things - can you clarify the risk here as well - why it is important to have a short-lived ID-token and what security problem it solves? |
"Check the aud" is also covered in:
The requirement itself is under discussion in #1967 |
This is to encourage the intended purpose of the ID token, as discussed in #2005, a short-lived ID token (with aud equal to the client id) is harder to reuse as an access token, and ID tokens in particular are more often than access-tokens exposed to the front-end, i e when using the OIDC id-token or hybrid flow.
This could be considered to detailed and covered (duplicated) by #2005
|
Previously linked #2005 is now in the document, but I'm not sure it covers the idea for this requirement. We also have other issues:
I think it is duplicate of issue #2002 If you agree that those topic are covered linked issues, we can close this one. |
The following verifications are suggested to be added for the client to the proposed new OIDC chapter (see #2037).
Client
Verify that in addition to regular JWT validation, ID tokens are validated to have 'aud' equal to the client id and a short lifetime (e g 1 minute).
Verify that if the 'id-token' grant is used then nonce validation must be performed on authorization respones.
The text was updated successfully, but these errors were encountered: