Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OIDC code flow nonce #23580

Closed
sberyozkin opened this issue Feb 10, 2022 · 2 comments · Fixed by #35039
Closed

Support OIDC code flow nonce #23580

sberyozkin opened this issue Feb 10, 2022 · 2 comments · Fixed by #35039
Assignees
@sberyozkin
Labels
area/oidc kind/enhancement New feature or request
Milestone
3.3.0.CR1

Comments

@sberyozkin
Copy link
Member

Description

@pedroigor has proposed that quarkus-oidc also generates nonce when redirecting to Keycloak which will help to minimize the ID token replay risk.
It may also make sense to optionally enforce c_hash and at_hash along the way as well to minimize the code/access token substitution risks - and all of these checks can be enforced when the strict profile will be enabled

Implementation ideas

No response
@sberyozkin sberyozkin added kind/enhancement New feature or request area/oidc labels Feb 10, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 10, 2022

/cc @pedroigor

@sberyozkin sberyozkin mentioned this issue Feb 10, 2022
Merged
@sberyozkin sberyozkin changed the title Support OIDC code flow nonce, c_hash, at_hash Support OIDC code flow nonce Jul 26, 2023
@sberyozkin sberyozkin self-assigned this Jul 26, 2023
@sberyozkin
Copy link
Member Author

sberyozkin commented Jul 26, 2023
edited
Loading

I've removed c_hash, at_hash from this feature request - as adding nonce is big enough enhancement of its own, I'll deal with c_hash, at_hash as needed in different issues

@sberyozkin sberyozkin mentioned this issue Jul 26, 2023
Merged
@quarkus-bot quarkus-bot bot added this to the 3.3 - main milestone Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
3.3.0.CR1
Development

Successfully merging a pull request may close this issue.

Support OIDC authorization code flow nonce sberyozkin/quarkus
1 participant
@sberyozkin