<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    I am adding some OIDC specs JIRAs with possibility how to fix them.
    I am including those, which will be easy to fix and I can look into
    them later today or tomorrow before PTO :<br>
    <br>
    <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-3189">https://issues.jboss.org/browse/KEYCLOAK-3189</a> - Add 'typ' to JWT
    header<br>
    <span title="KEYCLOAK-3190: Add 'kid' to JWT header"><a
        href="https://issues.jboss.org/browse/KEYCLOAK-3190"
        data-issue-key="KEYCLOAK-3190" class="issue-link link-title"><span
          title="KEYCLOAK-3190: Add 'kid' to JWT header"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/">https://issues.jboss.org/browse/</a></span>KEYCLOAK-3190</a>
      <span class="link-summary">- Add 'kid' to JWT header</span><br>
      <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-3217">https://issues.jboss.org/browse/KEYCLOAK-3217</a> - </span><span
      title="KEYCLOAK-3217: UserInfo endpoint not accessible by POST
      request secured with Bearer header"><span class="link-summary">UserInfo
        endpoint not accessible by POST request secured with Bearer
        header<br>
        <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-3147">https://issues.jboss.org/browse/KEYCLOAK-3147</a> - OpenID Connect
        auth request redirect_uri behaviour not according to spec<br>
      </span></span><span title="KEYCLOAK-3222: WellKnown endpoint
      doesn't return supported types of client authentication"><a
        href="https://issues.jboss.org/browse/KEYCLOAK-3222"
        data-issue-key="KEYCLOAK-3222" class="issue-link link-title"><span
          title="KEYCLOAK-3190: Add 'kid' to JWT header"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/">https://issues.jboss.org/browse/</a></span>KEYCLOAK-3222</a>
      <span class="link-summary">- WellKnown endpoint doesn't return
        supported types of client authentication<br>
      </span></span><span title="KEYCLOAK-3222: WellKnown endpoint
      doesn't return supported types of client authentication"><span
        class="link-summary"><span title="KEYCLOAK-3190: Add 'kid' to
          JWT header"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/">https://issues.jboss.org/browse/</a></span>KEYCLOAK-3219
        - </span></span><span title="KEYCLOAK-3222: WellKnown endpoint
      doesn't return supported types of client authentication"><span
        class="link-summary"><span title="KEYCLOAK-3219: WellKnown
          endpoint doesn't support claims_supported"><span
            class="link-summary">WellKnown endpoint doesn't support
            claims_supported<br>
            <br>
            <br>
            All of those are quite straightforward and easy to fix IMO.<br>
            <br>
            <br>
            Besides that, there are those 2, which I first rather want
            to confirm what exactly to do:<br>
            <br>
            - <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-3221">https://issues.jboss.org/browse/KEYCLOAK-3221</a> Tokens not
            invalidated if an attempt to reuse code is made <br>
            <br>
            We have just single-use code (which is good), however OAuth2
            specs recommends to invalidate existing tokens if an attempt
            to reuse code is done. And one OIDC test is in WARNING state
            because of it (it tries to access UserInfo endpoint with the
            accessToken issued with the reused code). <br>
            <br>
            I can see 2 possibilities to fix:<br>
            a) Invalidate just single clientSession where "code" attempt
            reuse was made<br>
            b) Logout whole userSession<br>
            <br>
            It looks to me that (a) is sufficient solution. The
            potential issue with (b) is, that if attacker can steal
            code, it gives him the possibility to trigger global logout
            of user from all apps. WDYT?<br>
            <br>
            <br>
            - <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-3218">https://issues.jboss.org/browse/KEYCLOAK-3218</a> Support for
            "max_age" in AuthorizationEndpoint and "auth_time" claim on
            IDToken <br>
            <br>
            The possibility to implement is : <br>
            - Add new note AUTH_TIME to UserSessionModel. It will be
            time when authentication of user was fully finished
            (including requiredActions). Session note is used just so we
            don't need to change the model ;)<br>
            - If "max_age" parameter was requested, the "auth_time" will
            be added to IDToken (or I will re-check specs if we should
            rather always add it to IDToken)<br>
            - I am also thinking about adding hook to
            CookieAuthenticator, so that if max_age parameter was used
            and userSession authTime is too "old", the
            CookieAuthenticator will be ignored and user will need to
            re-authenticate with other authenticators (username/password
            form etc). Then authTime will be updated on userSession once
            authentication is finished.<br>
            <br>
            WDYT?<br>
            <br>
            That will leave us with bigger things for OIDC Basic
            certification ( scope parameter support, possibly 'claims'
            param support and 'acr' support).<br>
            <br>
            Marek</span></span></span> <br>
    </span>
  </body>
</html>