[
https://issues.apache.org/jira/browse/CXF-9224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned CXF-9224:
----------------------------------------
Assignee: (was: Colm O hEigeartaigh)
> Authorization responses omit RFC 9207 iss parameter, exposing clients to
> OAuth mix-up attacks
> ---------------------------------------------------------------------------------------------
>
> Key: CXF-9224
> URL: https://issues.apache.org/jira/browse/CXF-9224
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 4.2.2
> Reporter: Guanping Zhang
> Priority: Minor
>
> According to RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification),
> the authorization server MUST return an {{iss}} parameter in the
> authorization response (alongside {{code}} or {{{}state{}}}) to allow the
> client to cryptographically verify which AS issued the response.
>
> Currently, CXF's {{{}AuthorizationCodeGrantService{}}},
> {{{}AbstractImplicitGrantService{}}}, and {{OidcHybridService}} build the
> redirect URI without including the {{iss}} parameter. This leaves clients
> registered with multiple authorization servers vulnerable to OAuth mix-up
> attacks, as they cannot definitively bind the response to the intended issuer.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)