[Enhancement] Security enhancements for OIDC authentication

[1earch]

Dear @To-om and @nadouani,

I would like to group in one thread some feature requests to enhance security for the implemented OIDC authentication. This list will surely duplicate some existing requests, but I thought it was interesting to keep an updated and simple list.

1. Add a state and a nonce parameter in OIDC auth request, in order to protect from CSRF and replay attacks. This request was first formulated in No nonce/state included for Oauth2/OpenID #1135 by @d3vzer0. I thought I will find time to implement it, but sadly I haven't for now and may not for some weeks at least...
2. Add support for the optional acr_values parameter, so that we can specify authentication requirements to our identity provider.
3. Change the OIDC autologin feature so that we don't enter in an infinite loop. This bug was discovered by @shortstack and mentionned here

For 1 and 2, you can find interesting info here. Finally, please note that #1010 is resolved.

Could you integrate these features?

Best regards

[nadouani]

Hello @1earch Thanks for this issue, we will see what can be fixed for the next TheHive3 version that will add support to ES 7 (3.5.0)