Use HTTP verb in Service Provider request mapper
Cantor, Scott
cantor.2 at osu.edu
Thu Oct 21 13:43:27 UTC 2021
On 10/21/21, 9:28 AM, "users on behalf of Fabien BERTEAU" <users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com> wrote:
> The main reason why I do not agree with the very principles of OIDC is that the access token is a bearer
> security.
Yes, but so is a SAML assertion (or artifact) and so are session cookies. And only Shibboleth even pretends the IP address ever matters.
> If the session cookie is HTTP only and secure, then it is out of scope and should be automatically loaded by
> the browser when it is called via its XMLHTTPRequest interface.
I actually had thought that was the point of HttpOnly, to prevent that, but I'm led to understand that it only prevents access via document.cookie. So, I guess that's somewhat rational as long as you control every last bit of code on that cookie's origin.
As you can see, I'm really not the one to be assessing it, my understanding is many years old.
-- Scott
More information about the users
mailing list