Hello WG, adding the issuer identifier to the authorization response as a countermeasure to mix-up attacks is well-known on this list and already part of the security BCP (see 4.4.2 <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.4.2>). However, the "iss" parameter is currently not properly specified. Daniel and I wrote an ID to solve this issue.
We would like to ask the working group to give us feedback on our first draft version: https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-00 Abstract This document specifies a new parameter "iss" that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization grant. If implemented correctly, the "iss" parameter serves as an effective countermeasure to "mix-up" attacks. The need for a proper specification of the "iss" parameter was discussed in this thread: https://mailarchive.ietf.org/arch/msg/oauth/DQR2ZXtGKfa-8UGtuPYyZoAaBIc/ Best regards, Karsten -- Karsten Meyer zu Selhausen IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Does your OAuth or OpenID Connect implementation use PKCE to strengthen the security? Learn more about the procetion PKCE provides and its limitations in our new blog post: https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
