It does not work if the AS does not check the redirect URI completely. Facebook being the main example here, and I guess they won't change this soon (for backwards compatibility). Adding the iss parameter won't break things.
-Daniel Am 09.05.2016 um 05:45 schrieb Nat Sakimura: > Hi Daniel, > > May I ask again why separate redirect uri would not work for mix-up? > (I know, it does not work for cut-n-paste.) > > Thanks, > > Nat > > 2016年5月5日(木) 23:28 Daniel Fett <[email protected] > <mailto:[email protected]>>: > > Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: > > I'm very much interested to find a solution within the OAuth realm as > > I'm not interested to either implement two solutions (for OpenId > Connect > > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! > tokens > > in the front channel). I therefore would like to see progress and > > propose to continue the discussion regarding mitigations for both > threats. > > > > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 > > proposes reasonable mitigations for both attacks. There are > alternatives > > as well: > > - mix up: > > -- AS specific redirect uris > > -- Meta data/turi > > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) > > - CnP: > > -- use of the nonce parameter (as a distinct mitigation beside > state for > > counter XSRF) > > >From our formal analysis of OAuth we are pretty confident that the > mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be > sufficient against the Mix-Up attack. > > Cheers, > Daniel > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > > -- > Nat Sakimura > Chairman of the Board, OpenID Foundation > Trustee, Kantara Initiative -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
