elf-pavlik
commented
4 years ago I would suggest that solid team doesn't try to innovate here and whatever best practices exist for OIDC Providers they just apply to solid IdP.
Closed kjetilk closed 3 years ago
elf-pavlik
commented
4 years ago I would suggest that solid team doesn't try to innovate here and whatever best practices exist for OIDC Providers they just apply to solid IdP.
acoburn
commented
3 years ago The Solid-OIDC specification draws upon the security considerations of various underlying specifications:
https://openid.net/specs/openid-connect-core-1_0.html#Security https://tools.ietf.org/html/rfc6749#section-10 https://tools.ietf.org/html/rfc7231#section-9
I just did a superficial analysis of an unsuccesful brute force attack against my personal Wordpress install. The interesting thing about it isn't really how it was done, but the fact that they hammered a single-user, tiny blog with less than 10 posts for several hours with 5 requests a second. I didn't think any reasonably intelligent attacker would bother, it was probably a bigger hog on their resources than mine...
However, it did lead me to think that we should see if there's something we should do to mitigate brute force attacks on the IdP spec level. Perhaps it is an implementation detail, but I wanted to bring it up for discussion if there is something that can be done.