Implement ANSSI recommendations for securing the implementation of the Openid-Connect protocol
Ref: Recommendations for securing the implementation of the Openid-Connect protocol (fr)
Most of the items are included into %2.18.0 except if mentioned below.
Items related to LLNG
LLNG as OIDC Relying Party:
-
Already implemented and enabled -
Always send state
(R10) -
Randomly generate state
andnonce
(R11, R15) -
Verify "state" (R22) -
Verify id_token
(R26, R28) -
Check that /userinfo
response andid_token
have the samesub
-
-
Doc about items to check -
oidcOPMetaDataOptionsUseNonce
required (R14) -
Disable HS*
algorithms (to workaround "distinct client_secret" R27 recommendation + R39) -
/token
calls:-
implement JWS authentication (level+)
-
-
code
requests-
Implement optional Passing Request Parameters as JWTs during code
request (R8 and R8+) - release %2.19.0
-
-
LLNG as OIDC Provider:
-
Already implemented and enabled -
randomly generate code
(R18) -
randomly generate access_token
(R24) -
associate access_token
with RP (R20) -
disable code
after/token
call (R30) -
don't write access_token
in logs (R32) -
limit access_token
TTL (R33) -
Use session cookie
-
-
Doc about items to check -
hybrid and implicit flows must be disabled (R1) -
disable HS*
algorithms (to workaround "distinct client_secret" R27 recommendation + R39) [Restrict] -
disable automatic enrollment (R49) -
limit access_token
validity in endpoints to a short time (R19) -
reject open redirections (R17) - Auto-discover
-
Disable /.well-known/openid-configuration
(R48, given by hand, but then give a way to download the document using the manager) [Out] - release %2.19.0
-
-
code
request-
support JWS authentication (R8, R8+) -
accept only one mode per RP (R9) [Restrict]
-
-
accept JWT (R8 and R8+) -
require it [Out] - release %2.19.0
-
-
require state
andnonce
(R12, R16) [Restrict] - release %2.19.0 -
store code
andaccess_token
using hash (R21, R25) - release %2.19.0
-
-
/token
calls:-
implement JWS authentication (level+) -
require it [Out]
-
-
-
/userinfo
calls:-
authentication using access_token only inside Authorization: Bearer
header (R31) [Restrict] - release %2.19.0
-
-
Notes:
- [Restrict]: Restrict the OpenID-Connect spec, may break some clients
- [Out]: out of OpenID-Connect Spec, will break a lot of clients
Edited by Yadd