How to restrict openid-connect request from the unknown source.
If we've Access Token available anyone can request for userinfo (we are saving user information and claims into userinfo) which we want to restrict.
means, the request we should allow from known clients only.
Note: we are using Keycloak as Identity Server
Please help!!
First and foremost, access token must be protected as same as user credentials. What OAuth2.0 framework give us is the ability to replace username/password based authentication/authorization with dynamically generated tokens. Thus these tokens must be protected. That is why TLS is a must for token transmission.
RFC6749 section 10.3 - Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. Access token credentials MUST only be transmitted using TLS as described in Section 1.6 with server authentication as defined by [RFC2818].
So if you are worrying over access token misuse, you must first worry about adopting token based communication. Your clients must be secure enough not to misuse the tokens.
Also one other thing you can do is to enable CORS headers to restrict the access to the endpoint. But, this is only after protecting the tokens.!
p.s Alternatively, network configurations can be set to allow only the known/valid IP addresses to communicate to your back end. But that is out of the OIDC protocol.
