The nature of the IDHub and Gateway application potentially exposes it to malicious users. The TrustBuilder Corporation can provide additional documentation to help you to further secure your environment.
For obvious reasons we cannot put this documentation online, so it can be requested by e-mail or via a support ticket.
We have the following documentation available:
The best practices helps point out a number of gateway configuration changes that can be made to enhance the security of the application.
Threat Model (under development, expected Q4 2019)
This document describes a study done on a typical IDHub implementation. It maps all the data flows and possible attack surfaces.
For each attack surface we try to list all the possible vulnerabilities and mitigations.
OAuth Security Recommendations (under development)
OAuth and OpenIDConnect are a complex protocol. There are several RFC's that describe additional security checks and enhancements that should be considered. This document provides some guidance into applying these for IDHub OAuth implementations.
Core OAuth Specification: https://tools.ietf.org/html/rfc6749#section-10
OAuth Threat Model: https://tools.ietf.org/html/rfc6819
Core OpenID Specification: https://openid.net/specs/openid-connect-core-1_0.html#Security