Prerequisites
The enhancement
What is the problem this solves or benefit it gives
The primary benefit to updating this is that our customers security teams are working to ensure that the vendors they use, meet standards of protocols that are used in application design, like TLS or OAuth. Several customers have indicated that they are focused on deprecated parts of the OAuth 2.0 standard, like the one our application currently uses (Implicit Flow).
In brief technical terms, Implicit Flow makes assumptions about the security of the transport between the browser the STS, and on mobile in particular this is considered a genuine risk. For web applications like ours however, this is not considered an urgent issue, however the standard for implicit flow is still considered deprecated as a result of the new flow that eliminates risk on mobile devices.
To recap, this will not fix any particular security flaw, but it will give customers confidence that we are keeping up to date with key protocols and standards within our application.
Proposed solution
There is a POC done here that uplifts the OIDC Authentication provider: OctopusDeploy/OpenIDConnectAuthenticationProviders#52 however it doesn't use PKCE, and further testing is required to make sure it doesn't break Octopus ID.
Ideally this would be available to all Auth Providers that use our OIDC implementation as a base.
Internal Links
One of several issues raised by customers here
Prerequisites
in #feature-discussion or #backlog and the consensus is that this is something we plan on adding in the near futurewith several key product team members and with Principal EngineersThe enhancement
What is the problem this solves or benefit it gives
The primary benefit to updating this is that our customers security teams are working to ensure that the vendors they use, meet standards of protocols that are used in application design, like TLS or OAuth. Several customers have indicated that they are focused on deprecated parts of the OAuth 2.0 standard, like the one our application currently uses (Implicit Flow).
In brief technical terms, Implicit Flow makes assumptions about the security of the transport between the browser the STS, and on mobile in particular this is considered a genuine risk. For web applications like ours however, this is not considered an urgent issue, however the standard for implicit flow is still considered deprecated as a result of the new flow that eliminates risk on mobile devices.
To recap, this will not fix any particular security flaw, but it will give customers confidence that we are keeping up to date with key protocols and standards within our application.
Proposed solution
There is a POC done here that uplifts the OIDC Authentication provider: OctopusDeploy/OpenIDConnectAuthenticationProviders#52 however it doesn't use PKCE, and further testing is required to make sure it doesn't break Octopus ID.
Ideally this would be available to all Auth Providers that use our OIDC implementation as a base.
Internal Links
One of several issues raised by customers here