search

swedenconnect / technical-framework

Technical Specifications for the Swedish eID Framework
28 stars 3 forks source link

Support for csrf_token for signature service #150

Closed martin-lindstrom closed 3 years ago

martin-lindstrom commented 3 years ago

A SignRequest is posted to a Signature Service and it will process the request and when done post back a SignResponse. If the relying party has CSRF protection enabled we should honour this by accepting the following in the form containing the sign request:

<input type="hidden" name="csrf-token" value="CIwNZNlR...." />

And then later include this token in the form posted back.

Make changes to section "3.1.1. Sign Request XHTML Form" and "3.1.2. Sign Response XHTML Form" of Implementation Profile for using OASIS DSS in Central Signing Services.

martin-lindstrom commented 3 years ago

No, this is not correct. A CSRF token is always generated by the server side, and the idea is that it is passed back to the client to that it can be included in any future requests from the client to the server. And since a signature service is stateless this just doesn't apply. Closing this one.