Use HTTP verb in Service Provider request mapper

Cantor, Scott cantor.2 at
Thu Oct 21 13:43:27 UTC 2021

On 10/21/21, 9:28 AM, "users on behalf of Fabien BERTEAU" <users-bounces at on behalf of fabien.berteau at> wrote:

>    The main reason why I do not agree with the very principles of OIDC is that the access token is a bearer
> security. 

Yes, but so is a SAML assertion (or artifact) and so are session cookies. And only Shibboleth even pretends the IP address ever matters.

>    If the session cookie is HTTP only and secure, then it is out of scope and should be automatically loaded by
> the browser when it is called via its XMLHTTPRequest interface.

I actually had thought that was the point of HttpOnly, to prevent that, but I'm led to understand that it only prevents access via document.cookie. So, I guess that's somewhat rational as long as you control every last bit of code on that cookie's origin.

As you can see, I'm really not the one to be assessing it, my understanding is many years old.

-- Scott

More information about the users mailing list