yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2027729] [NEW] Federation docs for OIDC recommend implicit grant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kristi Nikolla <2027729@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Jul 2023 18:58:34 -0000
Reply-to: Bug 2027729 <2027729@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

The documentation for setting up OIDC says to use id_token in
OIDCResponseType instead of code (or omitting the line entirely since
code is the default).

https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring-
apache-httpd-for-mod-auth-openidc

Using implicit grant is not recommended as
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-
topics-09

What is recommended is Authorization Code with PKCE.

** Affects: keystone
     Importance: Undecided
         Status: Triaged


** Tags: documentation federation

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2027729

Title:
  Federation docs for OIDC recommend implicit grant

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  The documentation for setting up OIDC says to use id_token in
  OIDCResponseType instead of code (or omitting the line entirely since
  code is the default).

  https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring-
  apache-httpd-for-mod-auth-openidc

  Using implicit grant is not recommended as
  https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-
  topics-09

  What is recommended is Authorization Code with PKCE.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2027729/+subscriptions