ANSSI security guidelines¶
Presentation¶
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is a French Agency for the Security of Information Systems. They published a document to securize OpenID-Connect. This document explain what to do to follow it.
LLNG as OpenID-Connect Provider¶
List of points to enable if possible:
Enable Hashed session storage in security parameters
Allow only “authorization code” flow
Forbid the use of HS algorithms, prefer those with public/private keys
Disable automatic enrollment
Limit the TTL of
access_token
to the strict needed delayDon’t allow “open redirections”
Configure webserver to disallow access to
/.well-known/openid-configuration
- Code requests
Fix the access mode for each relying party (prefer JWS)
Require state and nonce
- Token endpoint
Require JWS authentication
- UserInfo endpoint
Accept only authentication using
Authorization: Bearer ...
Use hashed storage for sessions (this includes OIDC tokens)
LLNG as OpenID-Connect Relying-Party¶
List of points to enable if possible:
Enable Hashed session storage in security parameters
always use
nonce
Forbid the use of HS algorithms, prefer those with public/private keys
- Code requests
Use JWS to pass request parameters
- Token endpoint
Use JWS authentication
Use hashed storage for sessions