Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

do not include authentication header in .query when jti is recorded in agent #87

Open
JohnMoehrke opened this issue Oct 17, 2023 · 1 comment

Comments

@JohnMoehrke
Copy link
Contributor

Where a query interaction succeeds (is authorized) and thus the AuditEvent has an .agent following the OAuth profile which includes recording of the oauth token jti; then the inclusion of the http authentication header is not needed and the inclusion of it in the AuditEvent presents a security risk (token reuse).

@JohnMoehrke
Copy link
Contributor Author

Is there some profile of the oauth token that can be described that preserves in the audit that which is useful while explicitly excluding the concerning portions? We need subject matter expert to define this profile of the oauth token for this use-case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant