Closed cjmak closed 2 years ago
I now understand that the auth_time claim can be checked to ensure a new login has taken place ie credentials were provided. If a bad actor tampered with the challenge then they wouldnt have provided credentials and hence the auth_time will not be updated. I think this is satisfactory but would've thought that there should be a way to encrypt the challenge params would have been a better way.
CJ
Hi,
What is the best way to ensure that the params either in the query string or post params if using an http post are kept secure and tamper free?
I have seen a reference to a request object where this can be encrypted (or signed) but I don't see any examples anywhere and no sign on it in the OpenIdConnectHandler.
My goal is to force a user to provide their logon credentials if they log out of my application. I have seen that the prompt param can be supplied but if a user tampers with the request params they can remove or change the value in the prompt param.
I am concerned with the following scenario: 1) user A logs in and does some work then logs out 2) user A leaves their desk (or device unlocked) 3) user B is a bad actor and they decide to log onto user A's app pretending to be user A 4) user B knows they can alter the prompt param setting it to "none" so they don't have to provide a correct set of credentials 5) user B makes a bunch of changes (or worse) and user A gets the blame
Is there a way to secure the request params?
Many thanks,
CJ