Security/Guidelines/OpenID Connect: Difference between revisions

An ID token is provided to the web application (RP) by the Open ID Connect Provider (OP). It contains a JSON document which informs the web application (RP) about how, when the user has authenticated, various attributes, and for how long the user session can be trusted. This token can be re-newed as often as necessary by the web application (RP) to ensure that the user and it's attributes are both valid and up to date.

Other tokens can be used, though these do not pertain directly to authentication. These are also often called OAuth2 tokens. This is because OIDC is based on OAuth2 and thus also provides full OAuth2 support. The OAuth2 tokens (Access Token and Refresh Tokens) enable their bearer to access information from other websites and resources (including additional user attributes that may not be passed by the ID token) - but are not required to perform user authentication.

| The Access token has specific permissions and is used to get data from an API. It expire quickly, typically within 24 hours.

| The ID token contains information about how and when the user authenticated along with various attributes. ID tokens are created and signed by OpenID Connect Providers (OP) and consumed, verified by web applications authenticating users (RPs).

This sequence diagram is useful if you want to understand how OIDC works, or need to modify or implement your own OIDC library.

The expiration of the session depends on the OP setup the session and may be forced to expire by the OpenID Connect Provider (OP) sooner than the cookie indicates on the user's browser.

For that reason, it is important that the web application (RP) respect the following set of rules in regards to session handling:

* '''Must''' expire the user session when the ID token expires or sooner (the expiration time is generally a UNIX timestamp attribute named <code>exp</code>).

* If the user's session is longer than '''15 minutes''', '''must''' re-check/introspect the ID token every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions.

** This issues a new ID token, which new attributes if they have changed.

** This usually also renews the ID token, which will update it's expiration time to a later date.

* '''Optionally''' provide a <code>logout</code> URL, which the OpenID Connect Provider (OP) can call to indicate if a user has logged out (so that the web application immediately know when to log the user out as well).

* '''Always''' expire the user session when the associated ID token expires.

* '''Should''' introspect the contents of the id token by querying the OP regularly, before the ID token expires.

* '''Never''' use implicit grants for websites. Authorization code grant ensures that the relying party is getting the access tokens, and that these cannot be intercepted within the user's browser.  

When requesting authentication from the OpenID Connect provider, '''always''' use the state parameter.

This is a defense against [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] attacks as the attacker needs

to know the state code/contents (similar to the [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention CSRF synchronizer token] used on websites)

Avoid using or storing  refresh tokens, especially for relying parties (RP) which are websites. Refresh tokens never expire and thus are very powerful.