From: Krzysztof B. <kb...@un...> - 2024-03-07 11:11:24
|
Hi Sander, W dniu 6.03.2024 o 13:05, Sander Apweiler pisze: > Hi Kryzsztof, hi Roman, > > we got the hint from one of our connected clients that unity does not > check the client secret in the authentication flow. This would be a > huge security issue. The client is a confidential client with optional > PKCE. The operators told us unity is not checking the secret even if > they disable PKCE for it. Is there any scenario where unity does not > check the client secrets in the requests? Yes, I can confirm that. A regression introduced when adding support for PKCE for confidential clients. We will release a fixed version ASAP. > I know i past we had some issues with missing basic auth header or > passwords containing special character, which were not proper encoded > and unity did not accept their requests. > > Another issue which was also re-opened was checking the token signature > at the userinfo endpoint. In Mai 2022 Roman said unity is only checking > the JTI against it's internal database and using the information from > that but not further checking the send token. Here we got the question > if there was an update of this behaviour. I don't think so, but I'll let Roman to answer. Best, Krzysztof |