Closed mattebit closed 6 months ago
peppelinux
commented
7 months ago According to the federation specs, the trust marks status endpoint doesn't require CSRF protection
we can enable GET Method with a PR
This has produced a regression in the italian specs: https://bitbucket.org/openid/connect/pull-requests/699#Lopenid-federation-1_0.xmlF3625T3643
peppelinux
commented
7 months ago please give me a week to resolve this before our final decision of this issue
mattebit
commented
7 months ago I can try to write the GET method and make a PR if needed.
peppelinux
commented
7 months ago Resolved also here: https://bitbucket.org/openid/connect/pull-requests/704
When validating the trust marks, the
trust_mark_statusendpoint of the trust anchor is only supporting POST requests and needs a django CSRF protection token to be processed, is this intended? For example, in the spid-cie-oidc-docs the example of the trust mark status request doesn't include any CSRF protection header.In openid-federation the trust mark status request must be made using a GET method when client authentication is not used. Will this GET method alternative be available?