Am 03.12.19 um 10:49 schrieb Daniel Fett:
> Am 03.12.19 um 10:21 schrieb Christian Mainka:
>> Hi,
>>
>> according to [1], countermeasure (1) describes to
>>
>>> configure [the] authorization servers to return an AS identitifier
>> ("iss") and the "client_id" for which a code or token was issued in the
>> authorization response.
>>
>> So if an MixUp attack is running, the victim contacts A-AS but is
>> redirected to to H-AS [2].
>> The AS adds - according to the countermeasure - two additional
>> parameters to the authorization response: client_id and issuer. Both
>> values are set by H-AS, so it returns H-issuer and H-client_id.
>
> I asked for clarification because I would assume that the mix-up
> attack is twharted at this point. The client would see H-issuer
> instead of A-issuer, to which it sent the user.
>
> I agree that the client_id is not of much value here.
>
Looking back at our analysis of OIDC [1], we actually included the
option that attacker choses the client_id, even for the honest AS. This
is a safe overapproximation, of course. Obviously an attacker-controlled
AS can also issue arbitrary client_ids. So I suspect that there is no
further attack hidden here.[1] https://arxiv.org/pdf/1704.08539 -Daniel
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
