V51 OAuth: Add new OIDC chapter #2037
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
To define a clear scope for the new OAuth chapter a suggestion si to alos add a OIDC chapter with the following scope definition (where the first section of the chapter i Control Objective and the last is OIDC References). Note that this assumes a new OAuth chapter as well (see #2036) and address (closes) #1924.
Control Objective
OIDC has become industry standard for login, web SSO and federation. OIDC is an identity layer on top of OAuth2 and all verifications in the OAuth2 chapter applies to this chapter as well. This chapter highlights core best current practices for OIDC based on references in the last section of this chapter, while OAuth2 is addressed in the OAuth2 chapter.
Please read this chapter in combination with all other chapters at this same level; we do not duplicate authentication, authorization, session management, general input validation concerns and so on. Rather, the general requirements from other chapters always apply and therefore this chapter can not be taken out of context and be tested separately.
This chapter only contains OIDC specific verifications and in example JWT validation and session management is part of other chapters.
OIDC References
OIDC is defined by a large set of specifications, see https://openid.net/developers/specs/. Verifications for this chapter has primarily been aligned with the security profile for Financial grade APIs (FAPI) 2.0, see https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html. FAPI applies to any OAuth2/OIDC application with high security requirements, such as finance, healthcare and government sectors.
The text was updated successfully, but these errors were encountered: