1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Basic 3.3.1 Check ID Request in query parameter a bad security practice

Issue #297 resolved
Michael Jones created an issue

The Check ID Request section currently says: "To request the information about the authentication performed on the End-User and verify the ID Token, the following parameters MAY be sent to the Check ID Endpoint as query parameters in a GET or as form encoded in a POST request: id_token.

Why is it that we're recommending use of a query parameter when the OAuth Bearer security considerations are clear that query parameters should only be used if no other method is feasible becuase of the likehood of tokens appearing in logs, etc., making leakage likely.

Should we instead require the use of the form-encoded body parameter and remove the query parameter method?

This also appears in Section 7.1 (Check ID Requests) of Standard (but in a sneaky way in which the word "query" is not used).

Comments (5)

  1. Nat Sakimura

    ID Token is not an access token. Since ID Token is not an access_token, it was changed from being used as Bearer token to HTTP parameter per #48.

    Since id_token is not an access_token, even if it is leaked, the utility of it to the attacker is limited. Thus, it has less impact than using access_token over GET parameter.

    Having said that, I think it is a bad practice to use GET parameter.

    I think the support for GET was inherited from the session management spec.

    Unless there is a strong reason against it, we should drop GET.

    The

  2. John Bradley

    I went through that with Breno a while ago. He was opposed to restricting it to POST at the time. We should check with him, before making a change.

    Personally I was in favour of POST only.

    It is however a direct call so the only issue is it being captured in logs. Steeling it without the session cookie should not be useful to an attacker.

  3. Nat Sakimura

    So keeping the GET but clearly stating the caution one should take in us ch a case may be the way to go for the time being.

  4. Michael Jones reporter

    OK, I can do that. I'll replicate the language from the OAuth Bearer spec sayign that query should only be used if no other method is feasible. I'll leave the issue open for discussion on tomorrow's call.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!