Ensuring connection security#

The operator of the application connected to Blitz Identity Provider must ensure compliance with the following security requirements:

  1. The confidentiality of the client_secret value received for the application during registration in Blitz Identity Provider must be ensured:

    • It is forbidden to betray the value of client_secret to persons who are not related to the operation of the application.

    • It is forbidden to use client_secret in the client part of the software (code executed on the side of the browser, mobile application, desktop application). client_secret should be used only in the server components of the application. The exception is the client_secret received by a mobile or desktop application using a dynamic registration operation, such a client_secret can be stored and processed in a mobile or desktop application.

    • If the client_secret is compromised, then an application must be submitted to replace the client_secret application. Blitz Identity Provider allows for “smooth replacement” of client_secret , namely, an additional client_secret can be assigned to the application for the time while the application is being reconfigured from the old to the new value client_secret.

  2. The confidentiality of access tokens (access_token) and refresh tokens (refresh_token) received by the application from Blitz Identity Provider must be ensured.

    • You should avoid using access tokens in the browser part of the application. If it is still necessary (SPA application), then the JS code using the access token should provide protection against the possibility of obtaining the value of the access token from the browser console.

    • It is forbidden to store/process the update token on the side of the browser part of the application – the update token must be used exclusively in the server components of the application. When storing update tokens in an application (in databases, files, etc.), access to stored update tokens must be limited.

  3. The application’s interaction with Blitz Identity Provider in the production loop should be carried out exclusively using a secure connection (HTTPS). It is forbidden to use HTTP in application handlers (return addresses redirect_uri, post_logout_redirect_uri).

  4. The application is not allowed to open the Blitz Identity Provider login page in the frame.

  5. When connecting mobile applications to Blitz Identity Provider:

    • using PKCE is mandatory;

    • it is forbidden to use an Embedded browser.