PrOfESSOS is our open source implementation for fully automated Evaluation-as-a-Service for SSO. PrOfESSOS introduces a generic approach to improve the security of OpenID Connect implementations by systematically detecting vulnerabilities.
28
stars
14
forks
source link
Avoid OIDC Discovery cache persistence at client #11
The OIDC client caches discovery metadata which prevents the Malicious Endpoint attack to work correctly.
There are two possible solutions.
Use no-cache HTTP header when delivering the responses containing the metadata. This header is also used in the examples in the Discovery and Dynamic Registration specifications.
Use different URLs in the test, so the client is forced to fetch fresh metadata
The OIDC client caches discovery metadata which prevents the Malicious Endpoint attack to work correctly.
There are two possible solutions.