Re: [keycloak-dev] Some OIDC JIRAs to fix?

On 01/07/16 08:58, Stian Thorgersen wrote: On 30 June 2016 at 16:25, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > I am adding some OIDC specs JIRAs with possibility how to fix them. I am > including those, which will be easy to fix and I can look into them later > today or tomorrow before PTO : > > https://issues.jboss.org/browse/KEYCLOAK-3189 - Add 'typ' to JWT header > +1 > <https://issues.jboss.org/browse/KEYCLOAK-3190> > <https://issues.jboss.org/browse/>https://issues.jboss.org/browse/KEYCL... > - Add 'kid' to JWT header > +1 > > https://issues.jboss.org/browse/KEYCLOAK-3217 - UserInfo endpoint not > accessible by POST request secured with Bearer header > +1 > <https://issues.jboss.org/browse/KEYCLOAK-3147> > https://issues.jboss.org/browse/KEYCLOAK-3147 - OpenID Connect auth > request redirect_uri behaviour not according to spec > +1 To just require redirect_uri in either case We need separate JIRAs for scope=openid and another one for removal of ID token when scope=openid isn't used For now, I've created https://issues.jboss.org/browse/KEYCLOAK-3237 for both things. > <https://issues.jboss.org/browse/KEYCLOAK-3222> > <https://issues.jboss.org/browse/>https://issues.jboss.org/browse/KEYCL... > - WellKnown endpoint doesn't return supported types of client > authentication > +1 > <https://issues.jboss.org/browse/>https://issues.jboss.org/browse/KEYCL... > - WellKnown endpoint doesn't support claims_supported > Maybe this one isn't so straightforward due to protocol mappers? Yes, right. Just publish it with some value will be easy (and probably will make OIDC test happy :) ) but tricky part is which value to use... > > > All of those are quite straightforward and easy to fix IMO. > > > Besides that, there are those 2, which I first rather want to confirm > what exactly to do: > > - https://issues.jboss.org/browse/KEYCLOAK-3221 Tokens not invalidated > if an attempt to reuse code is made > > We have just single-use code (which is good), however OAuth2 specs > recommends to invalidate existing tokens if an attempt to reuse code is > done. And one OIDC test is in WARNING state because of it (it tries to > access UserInfo endpoint with the accessToken issued with the reused code). > > I can see 2 possibilities to fix: > a) Invalidate just single clientSession where "code" attempt reuse was > made > b) Logout whole userSession > > It looks to me that (a) is sufficient solution. The potential issue with > (b) is, that if attacker can steal code, it gives him the possibility to > trigger global logout of user from all apps. WDYT? > I think option (a) is the correct approach. I interpret the spec to state that tokens associated with the specific code should be invalidated. Option (b) seems a bit over the top and not necessary I also wonder if there's non-malicious situations where an application could try to exchange a code twice, for example after a timeout or an automated connection retry? Not sure if this can be really an issue... Maybe we can fix and see if someone see issues?

Marek > > > - https://issues.jboss.org/browse/KEYCLOAK-3218 Support for "max_age" in > AuthorizationEndpoint and "auth_time" claim on IDToken > > The possibility to implement is : > - Add new note AUTH_TIME to UserSessionModel. It will be time when > authentication of user was fully finished (including requiredActions). > Session note is used just so we don't need to change the model ;) > - If "max_age" parameter was requested, the "auth_time" will be added to > IDToken (or I will re-check specs if we should rather always add it to > IDToken) > - I am also thinking about adding hook to CookieAuthenticator, so that if > max_age parameter was used and userSession authTime is too "old", the > CookieAuthenticator will be ignored and user will need to re-authenticate > with other authenticators (username/password form etc). Then authTime will > be updated on userSession once authentication is finished. > +1 Sounds good > > WDYT? > > That will leave us with bigger things for OIDC Basic certification ( > scope parameter support, possibly 'claims' param support and 'acr' support). > > Marek > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >