Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce quarkus.oidc (or quarkus.security) strict profile #23579

Open
sberyozkin opened this issue Feb 10, 2022 · 3 comments
Open

Introduce quarkus.oidc (or quarkus.security) strict profile #23579

sberyozkin opened this issue Feb 10, 2022 · 3 comments
Labels
area/oidc kind/enhancement New feature or request

Comments

@sberyozkin
Copy link
Member

Description

Some OIDC properties which enable stricter security are not activated by default, for example, quarkus.oidc.authentication.pkce-required (as noticed by @pedroigor), to be introduced nonce might not be for web-app applications. This is compensated by the fact the if the client secret is set then the code would still be well-protected, but there extra safety measures will never hurt.

Also, forceRedirectHttpsScheme (i.e, we really don't want HTTP only endpoints doing the code flow, so if enforcing it if http is only a proxy thing would not be a problem, also suggested for the apple profile by @FroMage), expected token type is optional (if we can deduce it is Keycloak we can enforce the type, id/access/refresh), etc.

By introducing a strict profile we can enforce that these and other relevant properties are enabled/enforced. This profile can be also activated by default and the users would then override some specific properties.

This idea of a strict profile can be relevant not only to oidc but other security extensions. For ex, requiring the authentication by default, etc

Implementation ideas

Probably introduce quarkus.security.strict=true and then start from oidc and then keep going and check other security extensions (in follow up issues)

@sberyozkin sberyozkin added kind/enhancement New feature or request area/oidc labels Feb 10, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 10, 2022

/cc @pedroigor

@sberyozkin sberyozkin changed the title Introduce OIDC strict profile property Introduce quarkus.oidc (or quarkus.security) strict` profile property Feb 10, 2022
@sberyozkin sberyozkin changed the title Introduce quarkus.oidc (or quarkus.security) strict` profile property Introduce quarkus.oidc (or quarkus.security) strict profile property Feb 10, 2022
@sberyozkin sberyozkin changed the title Introduce quarkus.oidc (or quarkus.security) strict profile property Introduce quarkus.oidc (or quarkus.security) strict profile Feb 10, 2022
@sberyozkin
Copy link
Member Author

@pedroigor As part of this work for OIDC we can check the discovery document and enable PKCE, or check the supported algorithms and enforce the tokens are signed with one of those algorithms, etc, we can make it pretty extensive.
I have to admit it may take a bit of time to prioritize but I'm positive about your idea, thanks :-)

@pedroigor
Copy link
Contributor

@sberyozkin Sure, that was just something I thought and related to how we are re-thinking our configuration model. Having better/secure defaults while still giving some flexibility for dev/testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants