I'm currently trying to figure out, if securing machine-to-machine OpenID Connect endpoints besides TLS (for example with basic authentication) is allowed. I refer machine-to-machine endpoints to, for example the token endpoint ( https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint ) or the well-known endpoint ( https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig ).
So far I couldn't find anything in the OpenId/OAuth2 specification (ie https://openid.net/specs/openid-connect-core-1_0.html ) on this topic if this is allowed/disallowed/discouraged/etc.
There is no need to protect the discovery and the other public endpoints, as they are meant for public consumption by the clients and APIS.
You should always use HTTPS/TLS with the browser because otherwise, you will have problems with the cookies.
For machine-to-machine communication, you have the client credentials flow, which gives you a secure way to establish communication between two services.
How you secure the communication internally on the backend is up to you.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.