[ 
https://issues.apache.org/jira/browse/CXF-9224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh reassigned CXF-9224:
----------------------------------------

    Assignee:     (was: Colm O hEigeartaigh)

> Authorization responses omit RFC 9207 iss parameter, exposing clients to 
> OAuth mix-up attacks
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-9224
>                 URL: https://issues.apache.org/jira/browse/CXF-9224
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 4.2.2
>            Reporter: Guanping Zhang
>            Priority: Minor
>
> According to RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification), 
> the authorization server MUST return an {{iss}} parameter in the 
> authorization response (alongside {{code}} or {{{}state{}}}) to allow the 
> client to cryptographically verify which AS issued the response.
>  
> Currently, CXF's {{{}AuthorizationCodeGrantService{}}}, 
> {{{}AbstractImplicitGrantService{}}}, and {{OidcHybridService}} build the 
> redirect URI without including the {{iss}} parameter. This leaves clients 
> registered with multiple authorization servers vulnerable to OAuth mix-up 
> attacks, as they cannot definitively bind the response to the intended issuer.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to