Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V51 OAuth: Add new OIDC Authorization Server verifications #2047

Open
TobiasAhnoff opened this issue Aug 31, 2024 · 2 comments
Open

V51 OAuth: Add new OIDC Authorization Server verifications #2047

TobiasAhnoff opened this issue Aug 31, 2024 · 2 comments
Assignees
@TobiasAhnoff
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 2) Awaiting response Awaiting a response from the original poster V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@TobiasAhnoff
Copy link

The following verifications are suggested to be added to the proposed new OIDC chapter (see #2037).

Authorization Server

Verify that well known industry standard Authorization Servers are used, preferably these services are certified and listed at https://openid.net/certification/#OPENID-OP-P. For L3 applications they should also be implement the FAPI security profile.

Verify that only the grant types 'code', 'ciba' or 'id-token' are used. Note that FAPI 2.0 recommends 'code' over the OIDC Hybrid flow 'id-token code' (which was previously recommended in FAPI 1.0).

Verify that all clients requiring access tokens are using the 'code' grant or, if needed for device flows, the 'ciba' grant.
@elarlang elarlang added the V51 Group issues related to OAuth label Aug 31, 2024
@randomstuff
Copy link

randomstuff commented Sep 1, 2024
edited
Loading

Verify that only the grant types 'code', 'ciba' or 'id-token' are used. Note that FAPI 2.0 recommends 'code' over the OIDC Hybrid flow 'id-token code' (which was previously recommended in FAPI 1.0).

I believe the wording is somewhat misleading: there is no grant_type=id_token but response_mode=id_token / code id_token.

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Sep 2, 2024
@elarlang elarlang changed the title V5.1 OAuth: Add new OIDC Authorization Server verifications V51 OAuth: Add new OIDC Authorization Server verifications Sep 10, 2024
@elarlang
Copy link
Collaborator

Verify that well known industry standard Authorization Servers are used, preferably these services are certified and listed at https://openid.net/certification/#OPENID-OP-P. For L3 applications they should also be implement the FAPI security profile.

For me it feels that we have it covered with dependency requirements in V14.2 Dependency. I think ASVS should concentrate on vulnerabilities not on certificates, although there can be correlation.

Verify that only the grant types 'code', 'ciba' or 'id-token' are used. Note that FAPI 2.0 recommends 'code' over the OIDC Hybrid flow 'id-token code' (which was previously recommended in FAPI 1.0).

Is the wording updated based on feedback?

Verify that all clients requiring access tokens are using the 'code' grant or, if needed for device flows, the 'ciba' grant.

todo: is it covered somewhere else?

@elarlang elarlang added the 2) Awaiting response Awaiting a response from the original poster label Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TobiasAhnoff TobiasAhnoff

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 2) Awaiting response Awaiting a response from the original poster V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@randomstuff @TobiasAhnoff @tghosth @elarlang