Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementing security measures of protecting API based Authentication #16836

Closed
Thumimku opened this issue Oct 3, 2023 · 1 comment
Closed

Implementing security measures of protecting API based Authentication #16836

Thumimku opened this issue Oct 3, 2023 · 1 comment
Assignees
@Thumimku
Labels
7.0.0-feature Fixed/7.0.0 on-prem-specific These are the on-prem specific improvements/fixes,
Milestone
7.0.0-beta

Comments

@Thumimku
Copy link
Contributor

Thumimku commented Oct 3, 2023

Describe the issue:
This issue handle the security of the feature mentioned in #15684
This feature allows clients to efficiently access authorization endpoints and retrieve authentication criteria in an interoperable JSON format. It simplifies the user experience by seamlessly prompting users for credentials within the app's interface. This API is designed for 1st party mobile apps, bypassing explicit user consent handling. To ensure the correct app is communicating with the authorization server, Attestation of Provenance (AoP) is crucial.

Impersonation is one of the key security considerations when it comes to mobile applications. A malicious mobile app could potentially impersonate an actual app by using its client ID, then trick a user into signing in.

Apart from impersonation the following security issues are also addressed in this solution.

  • Running on rooted environment
  • Decompiled
  • Replay Attacks on authorization server
  • Man In The Middle Attack

Architecture of this feature can be found in mail : "Enhancing security measures for API based Authentication"
@Thumimku Thumimku added this to the 7.0.0-alpha milestone Oct 3, 2023
@Thumimku Thumimku self-assigned this Oct 3, 2023
@Thumimku Thumimku moved this to In Progress in Identity Server 7.0.0 Oct 3, 2023
@Thumimku Thumimku modified the milestones: 7.0.0-alpha, 7.0.0-alpha2 Oct 31, 2023
@Thumimku
Copy link
Contributor Author

Working in Progress hence I extend the milesotne

This was referenced Nov 1, 2023
Merged
Merged
Merged
Merged
Merged
This was referenced Nov 9, 2023
Closed
Merged
@Thumimku Thumimku modified the milestones: 7.0.0-alpha2, 7.0.0-beta Nov 9, 2023
This was referenced Nov 10, 2023
Merged
Merged
Merged
Merged
@Thumimku Thumimku mentioned this issue Nov 20, 2023
Merged
9 tasks
@github-project-automation github-project-automation bot moved this from In Progress to Done in Identity Server 7.0.0 Nov 21, 2023
@Thumimku Thumimku added the on-prem-specific These are the on-prem specific improvements/fixes, label Nov 21, 2023
@Thumimku Thumimku mentioned this issue Nov 22, 2023
Closed
This was referenced Nov 29, 2023
Closed
Closed
Closed
Merged
@Achintha444 Achintha444 mentioned this issue Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Thumimku Thumimku

Labels
7.0.0-feature Fixed/7.0.0 on-prem-specific These are the on-prem specific improvements/fixes,
Projects
Identity Server 7.0.0
Archived in project
Milestone
7.0.0-beta
Development

No branches or pull requests
2 participants
@janakamarasena @Thumimku