iaean
commented
1 year ago If authn is enabled and working properly I can see GET /auth/keys HTTP/1.1 requests now.
Closed iaean closed 1 year ago
iaean
commented
1 year ago If authn is enabled and working properly I can see GET /auth/keys HTTP/1.1 requests now.
Can you check if cryptographic OIDC token validation is implemented sufficiently?
I'm asking because it looks like
dns3ldis actually not interested in client secrets orjwks_urikey stuff via/auth/.well-known/openid-configuration. I cant see any requests.If this is true we need to fix this immediately. We are highly vulnerable for token injection. That's why I marked this as bug for the moment.
Thanks for investigation.