Skip to content
This repository was archived by the owner on Mar 3, 2022. It is now read-only.

Validate issuer from returned discovery document #222

Open
brockallen opened this issue Dec 8, 2016 · 1 comment
Open

Validate issuer from returned discovery document #222

brockallen opened this issue Dec 8, 2016 · 1 comment
Assignees
@brockallen
Labels
enhancement
Milestone
2.0.0

Comments

@brockallen
Copy link
Contributor

Check by default, but allow a flag to disable the check
@brockallen brockallen self-assigned this Dec 8, 2016
@brockallen brockallen added this to the 2.0.0 milestone Dec 13, 2016
@brockallen
Copy link
Contributor Author

Also flags to check/validate:

  • https from all endpoints if authority also https
  • all domains in discovery from same origin as authority
  • require at_hash in id_token
  • allowed signing algs
  • require https on authority
  • require kid (or id_token has kid, mandate that it matches one from keys)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brockallen brockallen

Labels
enhancement
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
1 participant
@brockallen