proxy/request signers: request signers should also sign access token by jphines · Pull Request #179 · buzzfeed/sso
Navigation Menu
{{ message }}
- Notifications You must be signed in to change notification settings
- Fork 189
Merged
Merged
Conversation
Copy link
Contributor
jphines
commented
Apr 17, 2019
jphines
commented
Problem
We received a security report that request signatures do not sign access tokens if the proxy is configured to forward them. These access tokens should be signed by our various signature methods so upstreams can be ensured that these tokens have not tampered via a MITM attack.
jphines
requested a review
from shrayolacrayon
jphines
self-assigned this
shrayolacrayon approved these changes Apr 17, 2019
jphines
merged commit
3f8de31
into
master
jphines
deleted the
proxy-request-signatures-should-include-token
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment