Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added language requiring authorization of stream management API #173

Merged
merged 6 commits into from
Jun 10, 2024
Merged

Added language requiring authorization of stream management API #173

merged 6 commits into from
Jun 10, 2024

Conversation

FragLegs
Copy link
Contributor

@FragLegs FragLegs commented May 23, 2024
edited
Loading

To address the attacks proposed in #161 and #160, this PR adda a paragraph indicating that all Stream Management API endpoints must use authorization that associates stream IDs with a specific Receiver, unless some other method of trust is established.

@FragLegs FragLegs requested a review from a team as a code owner May 23, 2024 16:24
This was referenced May 24, 2024
Closed
Merged
This was linked to issues May 24, 2024
Stream Audience Mix-Up #161
Closed
Attacker Stream Subject Insertion #160
Closed
@tulshi tulshi requested a review from timcappalli May 24, 2024 20:41
timcappalli
timcappalli approved these changes May 26, 2024
View reviewed changes
openid-sharedsignals-framework-1_0.md Outdated Show resolved Hide resolved
@FragLegs
Copy link
Contributor Author

FragLegs commented Jun 4, 2024

Update RFC2818 and RFC7235 to RFC9110

@FragLegs
Update RFC references
9f942f0
@FragLegs
Make it clear that HTTPS is required for the jwks_uri and all stream …
78eb6bb 
…management API endpoints, regardless of whether there is an alternative way of securing the communication. Add language saying the the Transmitter should also tie the 'aud' value to the auth from the Receiver.
@FragLegs
Add RFC9110 to references
b7b8e8a
@tulshi tulshi merged commit d2607b9 into main Jun 10, 2024
2 checks passed
@tulshi tulshi deleted the 161-require-auth branch June 10, 2024 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@appsdesh appsdesh appsdesh left review comments

@tulshi tulshi tulshi approved these changes

@timcappalli timcappalli timcappalli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stream Audience Mix-Up Attacker Stream Subject Insertion
4 participants
@FragLegs @appsdesh @timcappalli @tulshi