Introduce quarkus.oidc
(or quarkus.security
) strict
profile
#23579
Labels
quarkus.oidc
(or quarkus.security
) strict
profile
#23579
Description
Some OIDC properties which enable stricter security are not activated by default, for example,
quarkus.oidc.authentication.pkce-required
(as noticed by @pedroigor), to be introducednonce
might not be forweb-app
applications. This is compensated by the fact the if the client secret is set then the code would still be well-protected, but there extra safety measures will never hurt.Also,
forceRedirectHttpsScheme
(i.e, we really don't wantHTTP
only endpoints doing the code flow, so if enforcing it ifhttp
is only a proxy thing would not be a problem, also suggested for theapple
profile by @FroMage), expected token type is optional (if we can deduce it is Keycloak we can enforce the type, id/access/refresh), etc.By introducing a
strict
profile we can enforce that these and other relevant properties are enabled/enforced. This profile can be also activated by default and the users would then override some specific properties.This idea of a strict profile can be relevant not only to
oidc
but other security extensions. For ex, requiring the authentication by default, etcImplementation ideas
Probably introduce
quarkus.security.strict=true
and then start fromoidc
and then keep going and check other security extensions (in follow up issues)The text was updated successfully, but these errors were encountered: