Use HTTP verb in Service Provider request mapper
Fabien BERTEAU
fabien.berteau at manomano.com
Thu Oct 21 13:10:39 UTC 2021
This answer scares me because we already use OIDC but we realize that it is
not enough. Indeed, PKCE stores access tokens within the reach of
javascript and therefore of an XSS type attack. To overcome this, we use a
reverse proxy overlay (NextAuth) to make our OIDC authorization server
believe that we are still in Authorization Code flow. But this results in
an overly complex system which I think could be simplified with SAML. If
you yourself are against the use of SAML in this increasingly widespread
use case, then I am afraid of us :)
Fabien Berteau | Security Architect
Bordeaux
fabien.berteau at manomano.com <aurelien.lajoie at manomano.com>
Le jeu. 21 oct. 2021 à 15:05, Cantor, Scott <cantor.2 at osu.edu> a écrit :
> On 10/21/21, 9:01 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com>
> wrote:
>
> > I know how to use Shibboleth to protect classical server side
> applications but I am a newbie about protecting
> > a SPA. Do you have documentation on how to do that ?
>
> No, I know nothing about that sort of abomination. I suspect you need
> OIDC, not SAML.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211021/699db8f9/attachment.htm>
More information about the users
mailing list