search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.69k stars 654 forks source link

Proposal/discussion: OIDC requirement to ensure issuer URL == issuer claim #2003

Open deleterepo opened 1 month ago

deleterepo commented 1 month ago

As per the discussion in https://github.com/OWASP/ASVS/issues/1969. From https://openid.net/specs/openid-connect-discovery-1_0.html#Security:

An attacker may attempt to impersonate an OpenID Provider by publishing a Discovery document that contains an issuer Claim using the Issuer URL of the OP being impersonated, but with its own endpoints and signing keys. This would enable it to issue ID Tokens as that OP, if accepted by the RP

We can have a requirement such as this:

Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

@elarlang

randomstuff commented 1 month ago

Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

These look like two requirements:

  1. Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party
  2. Verify that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

Could this be reformulated something like:

  1. Verify that the relying parties configured using OpenID Provider Configuration Information ensure that the issuer URL advertised in the OpenID Provider Configuration Information exactly matches the issuer URL of this OpenID provider.
  2. Verify that the issuer (iss) claim in the ID tokens received from an OpenID Provider exactly matches the issuer URL of this OpenID Provider.

All this could apply to plain OAuth as well.

elarlang commented 1 month ago

Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?

We have requirement:

# Description L1 L2 L3 CWE NIST §
3.5.6 [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. 287

The changes for mentioned requirement are discussed in https://github.com/OWASP/ASVS/issues/1967

elarlang commented 2 days ago

ping @deleterepo

Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?

I personally would like to address with general requirement for tokens, with OIDC as an example if needed. See https://github.com/OWASP/ASVS/issues/1967#issuecomment-2351456688

elarlang commented 5 hours ago

Seems duplicate of #1826 or at least related.