Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

id_token_hint should not persist to storage #798

Open
3 of 5 tasks
mitar opened this issue Mar 7, 2024 · 2 comments
Open
3 of 5 tasks

id_token_hint should not persist to storage #798

mitar opened this issue Mar 7, 2024 · 2 comments
Labels
bug Something is not working.

Comments

@mitar
Copy link
Contributor

mitar commented Mar 7, 2024

Preflight checklist

Ory Network Project

No response

Describe the bug

In this discussion I realized that id_token_hint is persisted to the storage in Fosite and it probably should not be. I think subject from the id_token_hint should be extracted early and only subject should be stored in the session, not the whole id_token_hint.

Reproducing the bug

Looking at the code here: https://github.com/ory/fosite/blob/master/handler/openid/flow_explicit_auth.go#L29-L35

Relevant log output

No response

Relevant configuration

No response

Version

latest master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

@mitar mitar added the bug Something is not working. label Mar 7, 2024
@james-d-elliott
Copy link
Contributor

james-d-elliott commented Mar 7, 2024

Would probably need to retain the aud and sid claims as well for
OpenID Connect RP-Initiated Logout 1.0, there are very likely other specifications that use other values too. I was also under the impression that the OpenID Sessions were deleted upon completion of the flow (maybe it's only for successful ones).

Maybe the best option here would be to store solely the claims as some form of child claims like id_token_hint_claims? Since it has no signature it has no intrinsic security value, only a privacy value.

@mitar
Copy link
Contributor Author

mitar commented Mar 7, 2024

I was also under the impression that the OpenID Sessions were deleted upon completion of the flow (maybe it's only for successful ones).

Oh, this has been changed just recently: c0b30f6

But I do not see where DeleteAccessTokenSession would be called?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

2 participants