From: Sander A. <sa....@fz...> - 2024-03-06 12:06:17
|
Hi Kryzsztof, hi Roman, we got the hint from one of our connected clients that unity does not check the client secret in the authentication flow. This would be a huge security issue. The client is a confidential client with optional PKCE. The operators told us unity is not checking the secret even if they disable PKCE for it. Is there any scenario where unity does not check the client secrets in the requests? I know i past we had some issues with missing basic auth header or passwords containing special character, which were not proper encoded and unity did not accept their requests. Another issue which was also re-opened was checking the token signature at the userinfo endpoint. In Mai 2022 Roman said unity is only checking the JTI against it's internal database and using the information from that but not further checking the send token. Here we got the question if there was an update of this behaviour. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |