Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal/discussion: OIDC requirement to ensure issuer URL == issuer claim #2003

Open
deleterepo opened this issue Jul 26, 2024 · 5 comments
Open

Proposal/discussion: OIDC requirement to ensure issuer URL == issuer claim #2003

deleterepo opened this issue Jul 26, 2024 · 5 comments
Assignees
@randomstuff @deleterepo @elarlang
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 2) Awaiting response Awaiting a response from the original poster V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@deleterepo
Copy link

As per the discussion in #1969. From https://openid.net/specs/openid-connect-discovery-1_0.html#Security:

An attacker may attempt to impersonate an OpenID Provider by publishing a Discovery document that contains an issuer Claim using the Issuer URL of the OP being impersonated, but with its own endpoints and signing keys. This would enable it to issue ID Tokens as that OP, if accepted by the RP

We can have a requirement such as this:

Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

@elarlang
@elarlang elarlang added the V51 Group issues related to OAuth label Jul 26, 2024
@randomstuff
Copy link

Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

These look like two requirements:

  1. Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party
  2. Verify that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.

Could this be reformulated something like:

  1. Verify that the relying parties configured using OpenID Provider Configuration Information ensure that the issuer URL advertised in the OpenID Provider Configuration Information exactly matches the issuer URL of this OpenID provider.
  2. Verify that the issuer (iss) claim in the ID tokens received from an OpenID Provider exactly matches the issuer URL of this OpenID Provider.

All this could apply to plain OAuth as well.

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Jul 29, 2024
@elarlang
Copy link
Collaborator

Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?

We have requirement:

# Description L1 L2 L3 CWE NIST §
3.5.6 [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. 287

The changes for mentioned requirement are discussed in #1967

@elarlang
Copy link
Collaborator

ping @deleterepo

Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?

I personally would like to address with general requirement for tokens, with OIDC as an example if needed. See #1967 (comment)

@elarlang elarlang added the 2) Awaiting response Awaiting a response from the original poster label Sep 15, 2024
@elarlang
Copy link
Collaborator

Seems duplicate of #1826 or at least related.

This was referenced Sep 17, 2024
Open
Closed
Open
@randomstuff
Copy link

Related : #2095 and Authorization Server Issuer Identification in general.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@randomstuff randomstuff

@deleterepo deleterepo

@elarlang elarlang

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 2) Awaiting response Awaiting a response from the original poster V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@randomstuff @deleterepo @tghosth @elarlang