[Geoserver-devel] [JIRA] (GEOS-9435) [community - oauth2] Include basic auth header for Oauth2 token instrospection requests

Alessio Fabiani created an issue

GeoServer / ImprovementGEOS-9435

[community - oauth2] Include basic auth header for Oauth2 token instrospection requests

Issue Type:

ImprovementImprovement

Assignee:

Alessio Fabiani

Components:

Community modules, OAuth2, Security

Created:

18/Dec/19 12:00 PM

Priority:

MediumMedium

Reporter:

Alessio Fabiani

Currently no authentication is provided when oauth2 provider sends requests to introspect token (for example when calling tokeninfo/ endpoint).

As suggested buy common best practices for Oauth2 an authentication is highly encuraged to reduce the exposure to attacks exposure and prevent user private data leakage.

The proposal is to add an auth header inside the requests with basic auth encoding of the client is and client secret: base64(client_id:client_secret)

This solution will make ti compatible with several oauths/oidc backends (like django-oidc-provider( which expects this header to allow the request.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100117-sha1:92fb180)

Atlassian logo