From ba40a31702ac7b5ac9e808fc7b46c8ae88033434 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Tue, 12 Nov 2024 14:08:11 +0100 Subject: [PATCH 1/3] recommend auth code flow using signed requests --- documentation/CAMARA-Security-Interoperability.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index 0a55da5..41ce44c 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better. The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) +It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for client authentication. + ### Cross-Site Request Forgery Protection CAMARA REQUIRES cross-site request forgery (CSRF) protection. From d788f889f94f01ef9b1c2c4c4c8c806ed6b29ae6 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 21 Nov 2024 10:55:19 +0100 Subject: [PATCH 2/3] reference to client-authentication key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jesús Peña García-Oliva --- documentation/CAMARA-Security-Interoperability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index 41ce44c..83221ea 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -66,7 +66,7 @@ All network connections MUST use TLS 1.2 or better. The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) -It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for client authentication. +It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). ### Cross-Site Request Forgery Protection From d41ba0597bfd3d9630207f1935186d1e69fbb08b Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 21 Nov 2024 11:03:33 +0100 Subject: [PATCH 3/3] recommendation regarding `aud` value added --- documentation/CAMARA-Security-Interoperability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index 83221ea..c8ea157 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -66,7 +66,7 @@ All network connections MUST use TLS 1.2 or better. The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) -It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). +It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. ### Cross-Site Request Forgery Protection