Hi Karsten, Thanks for the write up. I would like to suggest the name authorization_response_iss_parameter_supported, instead of iss_parameter_supported. To make it explicit and unambiguous that it's about the authZ response.
Vladimir On 26/10/2020 16:33, Karsten Meyer zu Selhausen wrote: > > Hello WG, > > adding the issuer identifier to the authorization response as a > countermeasure to mix-up attacks is well-known on this list and > already part of the security BCP (see 4.4.2 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.4.2>). > However, the "iss" parameter is currently not properly specified. > Daniel and I wrote an ID to solve this issue. > > We would like to ask the working group to give us feedback on our > first draft version: > https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-00 > > Abstract > > This document specifies a new parameter "iss" that is used to > explicitly include the issuer identifier of the authorization server > in the authorization response of an OAuth authorization grant. If > implemented correctly, the "iss" parameter serves as an effective > countermeasure to "mix-up" attacks. > > > The need for a proper specification of the "iss" parameter was > discussed in this thread: > https://mailarchive.ietf.org/arch/msg/oauth/DQR2ZXtGKfa-8UGtuPYyZoAaBIc/ > > Best regards, > Karsten > > > -- > Karsten Meyer zu Selhausen > IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, > Security Training > > Does your OAuth or OpenID Connect implementation use PKCE to strengthen the > security? Learn more about the procetion PKCE provides and its limitations in > our new blog post: > https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. > Christian Mainka, Dr. Marcus Niemietz >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
