2017-06-15#
Best Practices OpenID Connect#
Minimal id_token verification#
- iss - this value MUST match the OpenID Connect Discovery issuer value
- aud - this MUST be your client_id
- nonce - This MUST be the nonce value you sent in your request
- exp - verify the assertion has not expired
- Verify the JWS Digital Signature of the JWT id_token
OPTIONAL id_token verifications:
- at_hash - verify that your are using the correct access Token
- s_hash - verify the hash of the OAuth state parameter
- iat - maybe you want an id_token that was issued within a certain time frame?
- auth_time - Perhaps it has been longer than you think is reasonable and you can send the OpenID Connect Provider a prompt Parameter (prompt=login) to the Authorization_endpoint
Read the OpenID Connect Implementer's Guides
Advanced OpenID Connect Clients#
- Use the Hybrid Flow
- Be sure you only send the Authorization Code to the correct issuer to prevent a IDP mix-up attack.
- Use a distinct redirect_uri for each OpenID Connect Provider
- If using a OAuth Public Client implement Proof Key for Code Exchange by OAuth Public Clients and use SHA-2
- Use TLS 1.2 or later and follow RFC 7525
- implement Mutual TLS Profiles for OAuth Clients or Token Binding Protocol
- Use acr_values sending in the OpenID Connect Authentication Request
- default_acr-values can be registered in the OAuth 2.0 Client Registration
- verify id_token for acceptable acr claim.
- Use FIDO
- Crypto Guidlines
- RSA should use minimum 2048 bit keys
- Elliptic Curve key should be minimum of 160 bits
- client Secret should be minimum of 128 bits is using symmetric Key Cryptography
- Use PS256 or ES256 Signature algorithms
- OpenID Connect Federation provide3s an out-of-band Key-Exchange for signing keys.
OpenID Connect Client#
OpenID Connect DO THESE#
- Do use Form Post Response Mode
- Use and Verify non-static OAuth state parameter or nonce to stop Cross-site request forgery
- at_hash or and verify the
OpenID Connect DO NOT THESE#
- client_secret_basic - Credentials are only encoded, (ie no Encryption)
Method | Secret Encrypted | Signed |
---|---|---|
client_secret_basic | NO | NO |
client_secret_post | NO | NO |
client_secret_jwt | NO | Yes |
private_key_jwt | Yes | Yes |