Collaborate Disseminate
I’m wondering how exactly IAM Roles for Service Accounts authenticate requests to assume a role using the sts:AssumeRoleWithWebIdentity action when the role is in another account? The documentation has enabled me to get my solution working… Continue reading How are cross-account requests to assume IAM Roles using the ‘sts:AssumeRoleWithWebIdentity’ action authenticated?
I want to grant processes running on OpenStack infrastructure some access to AWS resources. (I also want to avoid manually rotating keys, and minimise the impact if credentials leak from these instances.)
Is there any secure way to associa… Continue reading How to grant AWS roles to OpenStack workloads?
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. Other applications are not so critical… Continue reading Keycloak – SSO security best practices
Background
Hashicorp Vault provides an auth method to enable Kubernetes Pods to authenticate to Vault by configuring integration between a Kubernetes cluster and Vault.
Question
The docs recommend setting up OIDC discovery endpoint integra… Continue reading Risks in using JWKS URL over OIDC discovery endpont?
According to the OIDC specification:
The issuer value returned MUST be identical to the Issuer URL that was
used as the prefix to /.well-known/openid-configuration to retrieve
the configuration information. This MUST also be identical to … Continue reading What are the risks of disabling issuer URL validation?
I understand the different purposes the two parameters serve, but is there anything speaking against the state and nonce parameters being the same string?
Continue reading Can the state and nonce have the same value?
Context
I’m designing a P2P network with a central Discovery Service (providing core info about every platform in the network) but no centralised Auth server.
OAuth 2.0 and OpenID Connect will be used for authorisation between platforms in… Continue reading Discovery Service as a Trust Anchor for P2P Network?
I came across this article. In there the author suggests to use PKCE which is recommended by RFC 8252. But what I am a little bit confused about that the author also uses an application server that has the client_secret.
Are both client_se… Continue reading OIDC for mobile app with PKCE and client_secret
This may be just an academic question, but I have been wondering about something, OK so for this purpose all we care about is AuthN, not AuthZ. Also, there are no users at all, just daemon-to-daemon communications.
So of course we’re all … Continue reading OIDC identity token authentication using JWKS instead of token_introspection
We have a situation of the session_state param on an OpenID Connect/Oauth app is sent on GET. We asked the developers to send it on POST. Developers claim that because standard OIDC/OAuth use 302 redirects, GET is the only option and they … Continue reading Can OpenID session_state be sent on POST?