[jira] [Updated] (NIFI-8406) Oidc Identity Provider should support assertions as client credentials for authenticating against the token endpoint

Fri, 09 Apr 2021 00:41:05 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-8406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vijay Jammi updated NIFI-8406:
------------------------------
    Description: 
The current oidc client authentication methods (client_secret_post, 
client_secret_basic) require client credentials (client_secret) to be stored as 
plain text on the client's filesystem, which could also be inadvertently 
checked into source control system.

Due to these and other security considerations, we should be able to use 
assertions as client credentials for authenticating against the token endpoint. 

While using assertions an oidc client will include client_assertion and 
client_assertion_type parameters instead of passing the client_secret for 
authentication. These recommendations are based off RFC 7523, Section 2.2 
(Using JWTs for Client Authentication) and RFC 7521 (Using Assertions for 
Client Authentication).

 

 

  was:
The current oidc client authentication methods (client_secret_post, 
client_secret_basic) require client credentials (client_secret) to be stored as 
plain text on the client's filesystem, which could also be inadvertently 
checked into source control system.

Due to these and other security considerations, we should be able to use 
assertions as client credentials for authenticating against the token endpoint.

 

 

 


> Oidc Identity Provider should support assertions as client credentials for 
> authenticating against the token endpoint
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-8406
>                 URL: https://issues.apache.org/jira/browse/NIFI-8406
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Security
>    Affects Versions: 1.11.4
>            Reporter: Vijay Jammi
>            Priority: Major
>              Labels: OIDC, Security, assertion
>
> The current oidc client authentication methods (client_secret_post, 
> client_secret_basic) require client credentials (client_secret) to be stored 
> as plain text on the client's filesystem, which could also be inadvertently 
> checked into source control system.
> Due to these and other security considerations, we should be able to use 
> assertions as client credentials for authenticating against the token 
> endpoint. 
> While using assertions an oidc client will include client_assertion and 
> client_assertion_type parameters instead of passing the client_secret for 
> authentication. These recommendations are based off RFC 7523, Section 2.2 
> (Using JWTs for Client Authentication) and RFC 7521 (Using Assertions for 
> Client Authentication).
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to