Hello Dino,
Thank you for this great demonstration of OIDC on apigee. I've question regarding /auth endpoint.
In case of grant_type = authorization_code do we need to protect /auth endpoint, to be sure that request is cumming from login/consent application not from different one. Only parameter /auth need's is session_id. So if client knows /auth endpoint and have session_id it can try to generate authorization code bypassing login/consent application.
Am I right or it's protected somehow ?
thank you
Levan
You are correct.
Previously I had included authentication from the login-and-consent application to the /auth endpoint, but... it started to get somewhat complicated to explain all the various authentication linkages. So I removed that part, In a proper production system I would want authentication on that endpoint, yes.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |