Hi Daniel, I think this problem is not only restricted to the redirect_uri. Regarding countermeasure (1), also the A-AS can return the same client_id as the client uses on the H-AS.
TL;DR: In countermeasure (1), only the issuer prevents MixUp, the client_id parameter can be faked as well during the registration of the client (especially if Dynamic Client Registration is used). Regards Christian On 26.11.19 15:20, Daniel Fett wrote: > Hi Karsten, > > Very interesting observation! > > My gut feeling is that this is the real problem here: > > Am 26.11.19 um 14:24 schrieb Karsten Meyer zu Selhausen: >> Depending on its implementation the client might simply extract all data >> contained in the Client Information Response and use it for >> authorizations with the specific AS. >> We were able to confirm that one popular open-source library behaves in >> this exact way. It stores the redirect URI contained in the Client >> Information Response and uses it for Authorization Requests with the >> A-AS although it differs from the redirect URI in the Client >> Registration Request. > The client uses untrusted, unverified data to make its decision on what > redirect URI to use. > > Nonetheless, we should definitely mention this in the BCP! > >> In our opinion this makes the countermeasure "AS-specific redirect URIs" >> obsolete and we believe the other countermeasure described in the BCP >> (adding an AS identifier and the client_id of the intended recipient to >> AS's responses) should be used to prevent Mix-Up attacks. If the >> involved entities use the OIDC hybrid flow this countermeasure is >> automatically applied. > These are more intrusive changes than the per-AS redirect URI and may > require new parameters. > > Daniel > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Dr.-Ing. Christian Mainka Horst Görtz Institute for IT-Security Chair for Network and Data Security Ruhr-University Bochum, Germany Universitätsstr. 150, ID 2/463 D-44801 Bochum, Germany Telefon: +49 (0) 234 / 32-26796 Fax: +49 (0) 234 / 32-14347 http://nds.rub.de/chair/people/cmainka/ @CheariX _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth