hi, FWIW Facebook is not the only one here. Many OAuth provider do not do exact matching redirect uri validation. Github for example is another….
regards antonio On May 10, 2016, at 10:23 AM, Daniel Fett <[email protected]<mailto:[email protected]>> wrote: It does not work if the AS does not check the redirect URI completely. Facebook being the main example here, and I guess they won't change this soon (for backwards compatibility). Adding the iss parameter won't break things. -Daniel Am 09.05.2016 um 05:45 schrieb Nat Sakimura: Hi Daniel, May I ask again why separate redirect uri would not work for mix-up? (I know, it does not work for cut-n-paste.) Thanks, Nat 2016年5月5日(木) 23:28 Daniel Fett <[email protected]<mailto:[email protected]> <mailto:[email protected]>>: Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: I'm very much interested to find a solution within the OAuth realm as I'm not interested to either implement two solutions (for OpenId Connect and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens in the front channel). I therefore would like to see progress and propose to continue the discussion regarding mitigations for both threats. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 proposes reasonable mitigations for both attacks. There are alternatives as well: - mix up: -- AS specific redirect uris -- Meta data/turi (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) - CnP: -- use of the nonce parameter (as a distinct mitigation beside state for counter XSRF) From our formal analysis of OAuth we are pretty confident that the mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be sufficient against the Mix-Up attack. Cheers, Daniel -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> <mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
