Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

recommend auth code flow using signed requests #226

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

recommend auth code flow using signed requests #226

wants to merge 1 commit into from

Conversation

AxelNennker
Copy link
Collaborator

What type of PR is this?

Add one of the following kinds:

  • documentation

What this PR does / why we need it:

This PR recommends using signed OIDC authoritzation code flow requests.

Which issue(s) this PR fixes:

Fixes #205

@jpengar jpengar requested a review from mhfoo November 12, 2024 13:10
@AxelNennker AxelNennker mentioned this pull request Nov 12, 2024
Open
jpengar
jpengar reviewed Nov 12, 2024
View reviewed changes
documentation/CAMARA-Security-Interoperability.md
@@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better.

The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)

It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for client authentication.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for client authentication.
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpengar jpengar jpengar left review comments

@sebdewet sebdewet Awaiting requested review from sebdewet sebdewet is a code owner

@mhfoo mhfoo Awaiting requested review from mhfoo

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Spring25: Proposal to RECOMMEND the use of Signed Request Object for the /authorize endpoint to prevent abuse
2 participants
@AxelNennker @jpengar