Alessio Fabiani created an issue |
[community - oauth2] Include basic auth header for Oauth2 token instrospection requests |
Issue Type: |
Improvement |
---|---|
Assignee: |
|
Components: |
Community modules, OAuth2, Security |
Created: |
18/Dec/19 12:00 PM |
Priority: |
Medium |
Reporter: |
Currently no authentication is provided when oauth2 provider sends requests to introspect token (for example when calling tokeninfo/ endpoint). As suggested buy common best practices for Oauth2 an authentication is highly encuraged to reduce the exposure to attacks exposure and prevent user private data leakage. The proposal is to add an auth header inside the requests with basic auth encoding of the client is and client secret: This solution will make ti compatible with several oauths/oidc backends (like django-oidc-provider( which expects this header to allow the request. |
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100117-sha1:92fb180) |