search

OpenConext / OpenConext-oidcng

OpenID Connect gateway - The Next Generation
3 stars 5 forks source link

Disallow unsigned JWT requests by signalling it in the openid-configuration #155

Closed phavekes closed 2 weeks ago

phavekes commented 2 weeks ago

This issue is imported from pivotal - Originaly created at Dec 7, 2020 by Bart Geesink

I would like to add the following parameter to the .well-known endpoint: request_object_signing_alg_values_supported:

The value should be "RS256":

This effectively disables unsigned JWT requests (and makes sure the certification tool passes this)

OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256.

Allthough the spec allows unsigned requests, we can explicitly disable it with this configuration parameter. If we do need unsigned JWT requests in the future, we can then look into it.

phavekes commented 2 weeks ago 
@bartgeesink https://github.com/OpenConext/OpenConext-deploy/commit/6271cbf0caf56d642961ada0c8fb13eadd7dc143 (Okke Harsta - Dec 8, 2020)