Vulnerability Discussion

An API must issue assertions when it acts as an identity provider or plays a role in secure authentication and authorization processes. Assertions are structured, verifiable claims—such as user identity, roles, or permissions—that allow other systems to trust the information being exchanged. In protocols like SAML, OAuth, or OpenID Connect, issuing assertions (e.g., SAML assertions or JWTs) enables the API to confirm that a user has been authenticated and is authorized to access specific resources. This is essential for enabling secure communication across systems, enforcing access control, and ensuring that sensitive operations are only performed by verified users or applications. Without issuing assertions, the API cannot provide the necessary trust and security guarantees required in modern distributed systems.

Check

Reviewing the API's authentication and authorization mechanisms. Verify the assertions are issued using the correct identity source's identity provider (IdP).

Verify the API adheres to the defined authentication standards to ensure that only authenticated and authorized entities can issue assertions.

Check the assertions include necessary identity information (e.g., user ID, roles, and claims) and are signed or encrypted.

Validate the issued process is compliant with any guidelines regarding assertion lifetime, scope, and audience.

Check that the API enforces rules for assertion expiration, audience restrictions, and security measures like encryption or digital signatures, ensuring assertions cannot be tampered with or misused.

Consult the organization's identity management documentation and compare it to the API's implementation to ensure full alignment with the defined policies.

If the API is not issuing assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix

Build or configure the API to issue assertions in accordance with organization-defined identification and authentication policy.