Details

    • Sprint:
      OpenIG Sprint 138 (7.0 init), OpenIG Sprint 139, OpenIG Sprint 140 (xmas)
    • Story Points:
      8

      Description

      As a route developer, I want to validate an incoming id_token in order to ensure authenticity, integrity, audience and expiration (not exhaustive).

      Business Value

      Sometimes, an access_token only is not sufficient to provide all the information we may want about the subject, so we may have an OpenId Connect id_token at hand. And we need to ensure that it is still valid (expiration date - exp), is for us (aud) and has been issued by the expected issuer (signature and iss).

      Acceptance Criteria

      • Filtered request pass through the filter if id_token is valid
        • Returns a 403 Forbidden if not the case
        • Or we may want to have a configurable failure Handler (TBD)
      • id_token location can be configured (expression)
      • Expiration is checked
      • Audience is checked against a value provided in the configuration
      • Issuer can be validated against a value provided in the configuration
      • If signed (as it should be) the filter verifies the signature using a secret provided in the configuration

      References

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                violette Violette Roche Montane
                Reporter:
                guillaume.sauthier Guillaume Sauthier
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: