Ldapwiki: Web Blog_blogentry_150617_1

apache jspωiki

2017-06-15#

Best Practices OpenID Connect #

Minimal id_token verification#

iss - this value MUST match the OpenID Connect Discovery issuer value
aud - this MUST be your client_id
nonce - This MUST be the nonce value you sent in your request
exp - verify the assertion has not expired
Verify the JWS Digital Signature of the JWT id_token

OPTIONAL id_token verifications:

at_hash - verify that your are using the correct access Token
s_hash - verify the hash of the OAuth state parameter
iat - maybe you want an id_token that was issued within a certain time frame?
auth_time - Perhaps it has been longer than you think is reasonable and you can send the OpenID Connect Provider a prompt Parameter (prompt=login) to the Authorization_endpoint

Read the OpenID Connect Implementer's Guides

Advanced OpenID Connect Clients #

Use the Hybrid Flow
Be sure you only send the Authorization Code to the correct issuer to prevent a IDP mix-up attack.
Use a distinct redirect_uri for each OpenID Connect Provider
If using a OAuth Public Client implement Proof Key for Code Exchange by OAuth Public Clients and use SHA-2
Use TLS 1.2 or later and follow RFC 7525
implement Mutual TLS Profiles for OAuth Clients or Token Binding Protocol
Use acr_values sending in the OpenID Connect Authentication Request
- default_acr-values can be registered in the OAuth 2.0 Client Registration
- verify id_token for acceptable acr claim.
Use FIDO
Crypto Guidlines
- RSA should use minimum 2048 bit keys
- Elliptic Curve key should be minimum of 160 bits
- client Secret should be minimum of 128 bits is using symmetric Key Cryptography
- Use PS256 or ES256 Signature algorithms
- OpenID Connect Federation provide3s an out-of-band Key-Exchange for signing keys.

OpenID Connect Client #

OpenID Connect DO THESE#

Do use Form Post Response Mode
Use and Verify non-static OAuth state parameter or nonce to stop Cross-site request forgery
- at_hash or and verify the

OpenID Connect DO NOT THESE#

client_secret_basic - Credentials are only encoded, (ie no Encryption)

Method	Secret Encrypted	Signed
client_secret_basic	NO	NO
client_secret_post	NO	NO
client_secret_jwt	NO	Yes
private_key_jwt	Yes	Yes

More Information#

There might be more information for this subject on one of the following: ...nobody

Back to main blog page Add new comments