Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.7.0
-
None
Description
Today upon receiving a OIDC auth request James verifies the signature against a configured JWKS endpoint to validate the token.
This decentralized design do not account for revocation.
Several solution to this problem exists:
- Calling the OIDC provider introspection endpoint to validate the token
- Or having a set of invalidated token maintained by the application, this needs to be updated by a backchannel from the OIDC provider.
While my favor tend to go to the second one, the first one is rather common to.
To give an exemple, one of my customers is required to implement the first approach: calling the introspection endpoint.
Proposed solution
- Optional configurable endpoint for checking token validity
- If specified this endpoint will be called to validate OIDC tokens
The call can be performed using a reactor-netty HTTP client.
References
- https://datatracker.ietf.org/doc/html/rfc7662 RFC-7662 OAuth 2.0 Token Introspection
Attachments
Attachments
Issue Links
- links to