sigstore oauth: include response_modes_supported as part of the providerClaims

oauth: include response_modes_supported as part of the providerClaims

Open hectorj2f opened this issue 3 years ago • 0 comments

Description

I propose to add a new provideClaim response_modes_supported (as optional) in https://github.com/sigstore/sigstore/blob/main/pkg/oauth/oidc/pkce.go#L42. When present, we could use its value to set the response_mode as part of the auth URL here: https://github.com/sigstore/sigstore/blob/main/pkg/oauth/oidc/pkce.go#L84.

Perhaps we could even prefer using response_mode=form_post over other response modes, as detailed here: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseExample

As described in [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#OAuth.Responses) [OAuth.Responses], there are security implications to encoding response values in the query string and in the fragment value. Some of these concerns can be addressed by using the Form Post Response Mode. In particular, it is safe to return Authorization Response parameters whose default Response Modes are the query encoding or the fragment encoding using the form_post Response Mode.

Any thoughts ?

Apr 19 '22 21:04 hectorj2f

sigstore sigstore copied to clipboard

oauth: include response_modes_supported as part of the providerClaims

sigstore
sigstore copied to clipboard