Versions Compared

Old Version 2

changes.mady.by.user Dag Østerhagen

Saved on

compared with

New Version 3

changes.mady.by.user Dag Østerhagen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • shall only establish connections to servers, including HelseID, using TLS. All TLS connections shall be set up using TLS version 1.2 or later, and follow RFC 7525.

  • shall use Authorization Code flow, as described by IETF in OAuth 2.0 and by OIDF in OpenID Connect for interactive sessions (end-user sessions), OR

  • shall use the Client Credentials flow as described in RFC 6749.

  • shall be confidential clients, meaning that the client secrets used to authenticate the clients are known to HelseID prior to the authentication.

  • shall pass request parameters as JWT as described by OIDF in OpenID Connect, and as detailed by HelseID.

  • shall support client authentication usin:

    • private_key_jwt”, as described by OpenID Connect for interactive sessions.

    • Client Assertions as described by RFC 7521 and RFC 7523

    • The requirements for client authentication are further detailed by HelseID

  • shall support sender-constrained tokens using

    • Demonstrating Proof-of-Possession at the Application Layer (DPoP) as described by draft-ietf-oauth-dpop.

  • shall use PKCE, as defined by IETF in RFC 76936 - Proof Key for Code Exchange, to mitigate against code interception and other attacks.

  • shall send access tokens in http authorization headers, as described by RFC 6750.

  • shall use the “authorization_details” structure, as defined by IETF in the specification Rich Authorization Requests, to convey fine grained authorization requirements to HelseID.

    • These requirements are further detailed by HelseID.

  • shall check the the validity of the “iss” parameter in the authorization response to prevent mix-up attacks.

  • shall implement protection against XSS and CSRF attacks. Please refer to external sources as OWASP for details about how to test and secure a client.

  • shall not expose to open redirectors where the client is vulnerable to malicious redirections . Please refer to external sources to find descriptions of mitigations to these types of attacks.

    • the client shall protect against attacks via HTTP Header

    • the client shall protect against attacks via Javascript (e.g. XSS attacks)

Cryptography and secrets

...

Cryptography

The following algorithms are supported when using “private_key_jwt” and request objects.

JSON Web Algorithm

Signature algorithm family

Hashing algorithm

RS256

RSASSA-PKCS1-v1_5

SHA-256

RS384

RSASSA-PKCS1-v1_5

SHA-384

RS512

RSASSA-PKCS1-v1_5

SHA-512

ES256

ECDSA

SHA-256

ES384

ECDSA

SHA-384

ES512

ECDSA

SHA-512

PS256

RSASSA-PSS

SHA-256

PS384

RSASSA-PSS

SHA-384

PS512

RSASSA-PSS

SHA-512

  • It is recommended to use PS256 or PS512

  • RSA shall have a minimum length of 2048 bits

  • Elliptic curve shall have a minimum length of 160 bits

...