Signature isn't injected into the proxied request

nokia / kong-oidc

OIDC plugin for Kong

Apache License 2.0

457 stars 324 forks source link

Signature isn't injected into the proxied request #3

Closed Trojan295 closed 6 years ago

Trojan295 commented 7 years ago

Hello,

The plugin is injecting only the payload in the ID token into the request. On the upstream side, there is no option to validate the data in the 'X-Userinfo' header (an adversary could modify this in fly).

Adding the whole ID token into the header (in base64) would solve this problem.

Br, Damian

tookko commented 7 years ago

To be accurate, X-Userinfo is populated with the payload of the user info, not the payload of the ID token.

Nevertheless, agree that it would be a useful enhancement to be able to pass the ID token for cases when the upstream service is in or behind an insecure network and the header might be compromised.

tsyrjanen commented 6 years ago

We put user info into headers, in X-Userinfo. But in headers there is also access token, in Authorization. And using access token you can request user info from userinfo_endpoint.

phirvone commented 6 years ago

FIxed in version 1.0.3.