Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relying Party security considerations for Cross Device Flow #89

Merged
merged 5 commits into from
Aug 4, 2023
Merged

Relying Party security considerations for Cross Device Flow #89

merged 5 commits into from
Aug 4, 2023

Conversation

peppelinux
Copy link
Member

This PR uses the same url scheme used in the cross device also for the same device

it also adds a section related to the security considerations about how a cross device flow should secure the user-agent session

grausof
grausof requested changes Aug 3, 2023
View reviewed changes
docs/en/relying-party-solution.rst Outdated
Comment on lines 147 to 150
.. code-block:: text

eudiw://authorize?client_id=https://verifier.example.org&request_uri=https://verifier.example.org/request_uri

Copy link
Collaborator

@grausof grausof Aug 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that this will be the content of the QR code. If so, how will the RP backend distinguish one request from another?
In this way the qr code will be static and identical for everyone

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is a non normative example but anyway we should decide it the reuqest_uri is the same but with urlparams ?state=$that-state or having dynamic request_uri (and then outside of the wallet relying party metadata) that are related to different request_objects (available in the queue)

I think that it would be better taking the JARM recommendation, remove the request_uri from the metadata, and have random request_uri bound to specific state.

@grausof do you agree?

grausof
grausof approved these changes Aug 3, 2023
View reviewed changes
Copy link
Collaborator

@grausof grausof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@peppelinux peppelinux merged commit 1f154a4 into versione-corrente Aug 4, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grausof grausof grausof approved these changes

@fmarino-ipzs fmarino-ipzs fmarino-ipzs approved these changes

@balanza balanza Awaiting requested review from balanza

Assignees
No one assigned
Labels
security wallet-solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@peppelinux @balanza @grausof @fmarino-ipzs