OpenID Connect - Is securing machine-to-machine endpoints allowed?
Question
I'm currently trying to figure out, if securing machine-to-machine OpenID Connect endpoints besides TLS (for example with basic authentication) is allowed. I refer machine-to-machine endpoints to, for example the token endpoint ( https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint ) or the well-known endpoint ( https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig ).
So far I couldn't find anything in the OpenId/OAuth2 specification (ie https://openid.net/specs/openid-connect-core-1_0.html ) on this topic if this is allowed/disallowed/discouraged/etc.
1 answers
solution1
1 ACCPTED 2023-01-17 08:05:21
There is no need to protect the discovery and the other public endpoints, as they are meant for public consumption by the clients and APIS.
You should always use HTTPS/TLS with the browser because otherwise, you will have problems with the cookies.
For machine-to-machine communication, you have the client credentials flow, which gives you a secure way to establish communication between two services.
How you secure the communication internally on the backend is up to you.
With backend, I mean where the services are hosted:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.