Authentifizierung von Verwaltungskund:innen

Validierung des IdentificationReport
Validierung von SAML-Tokens
Validierung von OpenID-Connect-ID-Tokens
Pairwise Pseudonymous Identifiers - User-ID, die abhängig von ID der Nuter:in und client_id des Onlinedienstes
PK-AEAD in JOSE: https://github.com/panva/jose/discussions/379

`state`/`s_hash` im OIDC-Standard

State im OIDC Authorization-Request kann genutzt werden, um documentReferences aus IdentificationReport an OIDC-Server zu schicken. OIDC-Server antwortet dann mit state hash (s_hash).

state
    RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. 

s_hash
    State hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the state value, where the hash algorithm used is the hash algorithm used in the alg header parameter of the ID Token's JOSE header. For instance, if the alg is HS512, hash the state value with SHA-512, then take the left-most 256 bits and base64url encode them. The s_hash value is a case sensitive string.

Edited Mar 10, 2022 by Marco Holz

Authentifizierung von Verwaltungskund:innen

state/s_hash im OIDC-Standard

`state`/`s_hash` im OIDC-Standard