*Status Quo* Let's say there are two legitimate service providers A and B. Both A and B are registered in IdP X as SAML2 service providers. The only difference is A is enabled to exchange SAML2 assertion with WSO2 IS using SAML2 Bearer Assertion grant flow. To do this, WSO2 IS's token endpoint is set as an audience and recipient in the SAML2 assertion for A. For B it is not the case.
When we validate the SAML2 assertion sent to the token endpoint in IS we simply validate whether the list of audience contains the token endpoint (or some acceptable alias). We don't validate whether this assertion was in fact sent by the intended recipient for the assertion. This implementation is of course compatible with the specifications. *Problem* If B somehow is able to get hold of the assertion intended to A, and send it to the token endpoint with B's client credentials, WSO2 IS will still issue a valid OAuth2 access token. *Proposed Solution* If sharing of SAML2 assertions between OAuth2 clients are not required, we can have an option in the token endpoint to validate the client_id identified from he basic auth header (or any other means depending on the client authentication mechanism), against the client_id in the SAML2 assertion. To do this, IdP X has to support adding multiple additional audiences into the SAML2 assertion. Also the client_id issued by WSO2 IS (which is public info) needs to be configured as an audience in IdP X. I don't see any issue with this either. This will allow us to validate that the intended recipient of the SAML2 assertion is the one who is in fact sending it to the OAuth2 token endpoint as well, to exchange to an OAuth2 access token. *Benefit* This will give us a way to make sure that the OAuth2 client who requesting the access token, has obtained it by authorized means (not stolen). Thoughts? P.S. this is not just for IS service providers where SAML2 and OAuth2 inbound configurations can be done for the same service provider. This proposal goes beyond that for any OAuth2 authorization server. Thanks & Regards, Johann. -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture