The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is a French Agency for the Security of Information Systems. They published a document to securize OpenID-Connect. This document explain what to do to follow it.
List of points to enable if possible:
Enable Hashed session storage in security parameters
Allow only “authorization code” flow
Forbid the use of HS algorithms, prefer those with public/private keys
Disable automatic enrollment
Limit the TTL of access_token to the strict needed delay
Don’t allow “open redirections”
Configure webserver to disallow access to /.well-known/openid-configuration
Use hashed storage for sessions (this includes OIDC tokens)
List of points to enable if possible:
Enable Hashed session storage in security parameters
always use nonce
Forbid the use of HS algorithms, prefer those with public/private keys
Use hashed storage for sessions