Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not include authentication header in .query when jti is recorded in agent #87

Open
JohnMoehrke opened this issue Oct 17, 2023 · 1 comment
Open

do not include authentication header in .query when jti is recorded in agent #87

JohnMoehrke opened this issue Oct 17, 2023 · 1 comment
Labels
CP Worthy

Comments

@JohnMoehrke
Copy link
Contributor

Where a query interaction succeeds (is authorized) and thus the AuditEvent has an .agent following the OAuth profile which includes recording of the oauth token jti; then the inclusion of the http authentication header is not needed and the inclusion of it in the AuditEvent presents a security risk (token reuse).
@jkiddo jkiddo mentioned this issue Oct 19, 2023
Open
@JohnMoehrke
Copy link
Contributor Author

Is there some profile of the oauth token that can be described that preserves in the audit that which is useful while explicitly excluding the concerning portions? We need subject matter expert to define this profile of the oauth token for this use-case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CP Worthy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JohnMoehrke