-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: user claims in the ID Token #55
Conversation
added support for ecrypted ID Token
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
GitGuardian id | Secret | Commit | Filename | |
---|---|---|---|---|
- | Bearer Token | 4b64291 | docs/en/userinfo_endpoint.rst | View secret |
- | Bearer Token | 4b64291 | docs/en/userinfo_endpoint.rst | View secret |
- | Bearer Token | 4b64291 | docs/it/userinfo_endpoint.rst | View secret |
- | Bearer Token | a7be856 | docs/en/userinfo_endpoint.rst | View secret |
- | Bearer Token | a7be856 | docs/en/userinfo_endpoint.rst | View secret |
- | Bearer Token | a7be856 | docs/it/userinfo_endpoint.rst | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Questa PR dovrebbe essere unita nel momento in cui AgID definisce i contenuti del prossimo avviso SPID
Ho creato dei box di disambiguazione per evidenziare il diverso funzionamento di CIEid e SPID rispetto alla questione degli attributi utente nellID Token. |
Per la nostra revisione dobbiamo considerare le implicazioni di criptare l'id_token anche quando sono in esso presenti i grant tokens delle attribute authorities |
Durante la riunione del 10 Ottobre è stata discussa questa PR e le proposte pendenti:
|
Please consider that in:
I think that the merge of claims requested in userinfo or in id_token is not standard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ho aggiunto i miei commenti relativi alla parte CIE.
@@ -195,57 +172,35 @@ When the **scope** parameter is used, the following values are supported: | |||
- *email*; | |||
- *email_verified*. | |||
|
|||
The attributes requested by the parameter **scope** are available both in the ID Token and in the response to the Userinfo Endpoint. | |||
.. admonition:: |spid-icon| | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only for SPID: if a scope is requested other than 'openid', the RP metadata SHOULD contains id_token_encrypted_response_alg and id_token_encrypted_response_enc and their value SHOULD NOT be 'none'.
If a scope is requested other than 'openid' and the RP metadata do not contains id_token_encrypted_response_alg and id_token_encrypted_response_enc or their value is 'none', none user attributes are returned in the id_token from token endpoint response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll keep this comment and try to include it after the next commits and revisions, so please keep this on hold
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd just put in the metadata parameter definition that the allowed values MUST be the same as the ones adopted for encrypting userinfo ... just a pointer without a re-definition
do you agree?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, as in SPID Notice 41
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
docs/en/authorization_endpoint.rst
Outdated
|
||
If the parameter **claims** is not present or has no value and the only scope openid has been requested, only the claim *sub* is returned in the response to the *userinfo endpoint*. | ||
|
||
.. admonition:: |spid-icon| | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only for SPID:
Only if the RP metadata contains id_token_encrypted_response_alg and id_token_encrypted_response_enc and their value is not 'none', the user attributes requested by the id_token object into the claims parameter will be available into the id_token from the token endpoint, added to any claims that are being requested using scope values.
The user attributes requested by the userinfo object into the claims parameter will be available only into the response from the userinfo endpoint, added to any Claims that are being requested using scope values.
@nunzionapoli please check if this is compliant to OIDC Core.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
@@ -225,6 +225,15 @@ ID Token | |||
++++++++ | |||
|
|||
The ID Token is a JSON Web Token (JWT) that contains information on the user that has executed the authentication. The RPs MUST validate the ID Token. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only for SPID: if some user attributes are requested with scope or claim parameter, the RP metadata SHOULD contains id_token_encrypted_response_alg and id_token_encrypted_response_enc and their value SHOULD NOT be 'none'.
If some user attributes are requested with scope or claim and the RP metadata does not contains id_token_encrypted_response_alg and id_token_encrypted_response_enc or their value is 'none', none user attributes are returned in the id_token from token endpoint response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
docs/it/authorization_endpoint.rst
Outdated
|
||
.. admonition:: |spid-icon| | ||
|
||
Gli attributi richiesti tramite il parametro **scope** sono disponibili nella risposta allo *userinfo endpoint*. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solo per SPID: se sono richiesti scope ulteriori a 'openid', il metadata del RP DOVREBBE contenere id_token_encrypted_response_alg e id_token_encrypted_response_enc ed il loro valore dovrebbe essere diverso da 'none'. Se sono richiesti scope ulteriori a 'openid' e il metadata del RP non contiene id_token_encrypted_response_alg e id_token_encrypted_response_enc o il loro valore è 'none', nessun attributo utente viene restituito nell'id_token nella risposta dall'endpoint token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
docs/it/authorization_endpoint.rst
Outdated
|
||
La tabella seguente mostra alcuni esempi di utilizzo. | ||
.. admonition:: |spid-icon| | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solo per SPID:
Solo se il metadata del RP contiene id_token_encrypted_response_alg e id_token_encrypted_response_enc ed il loro valore è diverso da 'none', gli attributi utente richiesti tramite l'oggetto id_token del parametro claims saranno disponibili nell'id_token restituito dall'endpoint token, in aggiunta agli altri claim eventualmente richiesti tramite il parametro scope.
Gli attributi utente richiesti tramite l'oggetto userinfo del parametro claims saranno disponibili solo nella risposta ottenuta dall'endpoint userinfo, in aggiunta agli altri claim eventualmente richiesti tramite il parametro scope.
@nunzionapoli gentilmente verifica se tale comportamento è conforme a OIDC Core.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
@@ -224,6 +224,11 @@ ID Token | |||
++++++++ | |||
|
|||
L'ID Token è un JSON Web Token (JWT) che contiene informazioni sull'utente che ha eseguito l'autenticazione. I RP DEVONO eseguire la validazione dell'ID Token. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solo per SPID: se sono richiesti attributi utente tramite il parametro scope o tramite il parametro claims, il metadata del RP DOVREBBE contenere id_token_encrypted_response_alg e id_token_encrypted_response_enc ed il loro valore dovrebbe essere diverso da 'none'. Se sono richiesti attributi utente tramite il parametro scope o tramite il parametro claims ed il metadata del RP non contiene id_token_encrypted_response_alg e id_token_encrypted_response_enc oppure il loro valore è 'none', nessun attributo dell'utente sarà presente nell'id_token restituito dall'endpoint token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here my proposal
so if you agree we may merge it as it is and then create a separate PR for that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
inseriti commenti per gli attributi utente in id_token per SPID
TODO:
|
Attributi utente disponibili nell'ID Token
Content
Prossimo Avviso SPID
Questa PR risolve
#54
Review