Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring25: Proposal to RECOMMEND the use of Signed Request Object for the /authorize endpoint to prevent abuse #205

Open
mhfoo opened this issue Sep 25, 2024 · 8 comments · May be fixed by #226

Comments

@mhfoo
Copy link
Collaborator

mhfoo commented Sep 25, 2024

Problem description
The simplest version of the OIDC /authorize endpoint is an unprotected endpoint with no means to authenticate the direct and indirect API Consumer. Anybody can monitor the existing traffic interaction with the /authorize endpoint (using a frontend application), and then perform a brute force attack on the /authorize endpoint to generate unnecessary auth codes.
The PKCE and nonce does not prevent the above scenarios.

In a federated scenario, the simplest version of the OIDC /authorize endpoint will allow chaining of unnecessary calls to downstream OIDC /authorize endpoints.

This is reopening issue #128 for Spring25 consideration.

Possible evolution
For the Spring25 CAMARA meta-release:

Recommend Signed Request Object for /authorize endpoint to be implemented, as per OIDC, Chapter 6, Passing Request Parameters as JWTs. The application backend will prepare and sign the request object using a private key, with the corresponding public key being published on well-know jwks endpoint. The application backend will then pass the signed request object to the application front using a 302 redirect response, where the application frontend will follow the redirect URL to invoke the intended /authorize endpoint. The /authorize endpoint will validate the signature of the signed request object with the corresponding jwks endpoint (which was registered as part of the onboarding process), identified using the client_id.

Alternative solution

Additional context
Related to Number Verification PR 94

@jpengar
Copy link
Collaborator

jpengar commented Sep 25, 2024

@mhfoo Why did you open a new issue on this topic? Why not just use your previous issue (#204) for the same purpose? Or better yet, when #204 was opened, it was mentioned that #194 already covered the discussion of mandating the use of signed requests for CIBA (as the original issue proposal), and Auth code was also covered in the discussion.

Did you manage to take a look at #194 comments?

@mhfoo
Copy link
Collaborator Author

mhfoo commented Sep 25, 2024

@jpengar
yes, I took a look at #194 and the comments. The requestor explicitly mentioned the proposal is for CIBA, not for Auth Code, for the Spring25 meta-release.

#204 is my request for clarification on the current Fall24 meta-release documentation. I am ok to close this issue when it is answered by the ICM working group or community. I am able to infer the answer, but my intended stakeholders/audience need an explicit answer to this question.

Hence, I see all 3 issues are related but the purpose and the requested outcomes are different. I hope this clarifies.

@jpengar
Copy link
Collaborator

jpengar commented Sep 25, 2024

@jpengar yes, I took a look at #194 and the comments. The requestor explicitly mentioned the proposal is for CIBA, not for Auth Code, for the Spring25 meta-release.

#204 is my request for clarification on the current Fall24 meta-release documentation. I am ok to close this issue when it is answered by the ICM working group or community. I am able to infer the answer, but my intended stakeholders/audience need an explicit answer to this question.

Hence, I see all 3 issues are related but the purpose and the requested outcomes are different. I hope this clarifies.

@mhfoo Fair enough 😜, I hope we really manage to keep these discussions isolated rather than having similar parallel discussions in different places. 🤞

@mhfoo
Copy link
Collaborator Author

mhfoo commented Oct 21, 2024

In view of interoperability between operators (in terms of securing the customer data, CAMARA certification), the proposal is to make signed request object for AuthCode flow to be mandatory between operators.

@jpengar
Copy link
Collaborator

jpengar commented Oct 22, 2024

@eric-murray's PR #217 recommends using signed requests for CIBA, but still allows the use of unsigned requests. It fixes #194. Should we extend this PR to recommend signed requests for both CIBA and Auth code flow to also address #205?
@mhfoo @AxelNennker @sebdewet

@mhfoo
Copy link
Collaborator Author

mhfoo commented Oct 23, 2024

@eric-murray's PR #217 recommends using signed requests for CIBA, but still allows the use of unsigned requests. It fixes #194. Should we extend this PR to recommend signed requests for both CIBA and Auth code flow to also address #205? @mhfoo @AxelNennker @sebdewet

Agree to recommend signed requests for both CIBA and Auth Code flows. Signed requests can be used as an idempotency key in both scenarios.

If majority of operators agree, the proposal is to make it mandatory between operators.

@mhfoo
Copy link
Collaborator Author

mhfoo commented Oct 23, 2024

@trehman-gsma 👆🏻

@AxelNennker AxelNennker linked a pull request Nov 12, 2024 that will close this issue
@AxelNennker
Copy link
Collaborator

To move forward with this issue I created a PR that recommends using signed requests in OIDC authorization code flow.
Please review #226

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants