This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee-Edge-OIDC-Demonstration /auth endpoint protection

Posted on 11-12-2019 12:28 AM
openapidev
New Member
Reply posted on --/--/---- --:-- AM

Hello Dino,

Thank you for this great demonstration of OIDC on apigee. I've question regarding /auth endpoint.

In case of grant_type = authorization_code do we need to protect /auth endpoint, to be sure that request is cumming from login/consent application not from different one. Only parameter /auth need's is session_id. So if client knows /auth endpoint and have session_id it can try to generate authorization code bypassing login/consent application.

Am I right or it's protected somehow ?

thank you

Levan

0 1 115
Topic Labels
0 Likes
Reply
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You are correct.

Previously I had included authentication from the login-and-consent application to the /auth endpoint, but... it started to get somewhat complicated to explain all the various authentication linkages. So I removed that part, In a proper production system I would want authentication on that endpoint, yes.

Reply