- changed status to open
Security considerations for the Initiating User Registration specification
Issue #1644
resolved
I'm wondering if the “security consideration“ section should include a suggestion to send the authorization requests as a JWT as a protection against misuse (a malicious actor can’t add or change a value in the prompt parameter as the integrity of the request is checked by the OP).
Right now this section is empty, see https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-security-considerations.
It might also make sense to include a reference to RFC 9101 as well.
As a side note, IMO this generic suggestion plays even a more important role for other values of the prompt parameter, say “login“.
Comments (6)
-
-
Mike, would an update to the security considerations section be considered normative?
I’m thinking something along the lines of…
If integrity protecting the authorization request is required, please refer to RFC 9101.
I can also see this as being something not necessary for the spec as it should be obvious to the implementor and I agree with Andrii that there are more important authorization request elements to protect than the prompt value
-
Please do add the Security Considerations text.
-
Please see PR 309
-
-
assigned issue to
gffletch
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/309
-
assigned issue to
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Registration
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
The public review period for Final status has commenced - as announced at https://openid.net/2022/09/22/public-review-period-for-proposed-final-initiating-user-registration-via-openid-connect-specification/. If we’re going to make any changes, we should do them sooner, rather than later, and they should be non-normative.