[ https://issues.apache.org/jira/browse/NIFI-8406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vijay Jammi updated NIFI-8406: ------------------------------ Description: The current oidc client authentication methods (client_secret_post, client_secret_basic) require client credentials (client_secret) to be stored as plain text on the client's filesystem, which could also be inadvertently checked into source control system. Due to these and other security considerations, we should be able to use assertions as client credentials for authenticating against the token endpoint. While using assertions an oidc client will include client_assertion and client_assertion_type parameters instead of passing the client_secret for authentication. These recommendations are based off [RFC 7523, Section 2.2 (Using JWTs for Client Authentication)|https://tools.ietf.org/html/rfc7523#section-2.2] and [RFC 7521 (Using Assertions for Client Authentication)|https://tools.ietf.org/html/rfc7521#section-4.2]. was: The current oidc client authentication methods (client_secret_post, client_secret_basic) require client credentials (client_secret) to be stored as plain text on the client's filesystem, which could also be inadvertently checked into source control system. Due to these and other security considerations, we should be able to use assertions as client credentials for authenticating against the token endpoint. While using assertions an oidc client will include client_assertion and client_assertion_type parameters instead of passing the client_secret for authentication. These recommendations are based off RFC 7523, Section 2.2 (Using JWTs for Client Authentication) and RFC 7521 (Using Assertions for Client Authentication). > Oidc Identity Provider should support assertions as client credentials for > authenticating against the token endpoint > -------------------------------------------------------------------------------------------------------------------- > > Key: NIFI-8406 > URL: https://issues.apache.org/jira/browse/NIFI-8406 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Security > Affects Versions: 1.11.4 > Reporter: Vijay Jammi > Priority: Major > Labels: OIDC, Security, assertion > > The current oidc client authentication methods (client_secret_post, > client_secret_basic) require client credentials (client_secret) to be stored > as plain text on the client's filesystem, which could also be inadvertently > checked into source control system. > Due to these and other security considerations, we should be able to use > assertions as client credentials for authenticating against the token > endpoint. > While using assertions an oidc client will include client_assertion and > client_assertion_type parameters instead of passing the client_secret for > authentication. These recommendations are based off [RFC 7523, Section 2.2 > (Using JWTs for Client > Authentication)|https://tools.ietf.org/html/rfc7523#section-2.2] and [RFC > 7521 (Using Assertions for Client > Authentication)|https://tools.ietf.org/html/rfc7521#section-4.2]. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)