ANSSI security guidelines¶
Presentation¶
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is a French Agency for the Security of Information Systems. They published a document to securize OpenID-Connect. This document explain what to do to follow it.
LLNG as OpenID-Connect Provider¶
List of points to enable if possible:
- Enable Hashed session storage in security parameters
- Allow only “authorization code” flow
- Forbid the use of HS algorithms, prefer those with public/private keys
- Disable automatic enrollment
- Limit the TTL of
access_token
to the strict needed delay - Don’t allow “open redirections”
- Configure webserver to disallow access to
/.well-known/openid-configuration
- Code requests
- Fix the access mode for each relying party (prefer JWS)
- Require state and nonce
- Token endpoint
- Require JWS authentication
- UserInfo endpoint
- Accept only authentication using
Authorization: Bearer ...
- Accept only authentication using
- Use hashed storage for sessions (this includes OIDC tokens)
LLNG as OpenID-Connect Relying-Party¶
List of points to enable if possible:
- Enable Hashed session storage in security parameters
- always use
nonce
- Forbid the use of HS algorithms, prefer those with public/private keys
- Code requests
- Use JWS to pass request parameters
- Token endpoint
- Use JWS authentication
- Use hashed storage for sessions