Collaborate Disseminate
OIDC says mTLS can be used to authenticate the client. But I haven’t read anywhere whether the OIDC Provider is supposed to accept self-signed SSL certificates. Are there any dangers to accepting self-signed certificates? Should these self… Continue reading mTLS with OpenID Connect and validating self-signed certificates
When I want to use encrypted request object with OpenID Connect then my OIDC provider must know my client_secret (used in JWT request object encryption). For the server to decrypt this object, that is, it has to store unencrypted client_se… Continue reading Encrypted request object in OpenID Connect
Recently, I started to wonder if OpenID Connect is really secure enough. I have analyzed tons of different sites and official documentation and so far I don’t see any problems except that stealing user sessions from one client can lead an … Continue reading OpenID Connect security issues
I have some related questions:
Is it possible to spoof the source address in the TCP/IP header when using HTTPS?
If possible, is there any way to detect source address change? I think the checksum is not a good idea because if you can cha… Continue reading Spoofing TCP/IP headers and uniqueness of the host name