Sadly I couldn’t make the DPoP session, but I’m not convinced the attack described in the earlier message really needs to be prevented at all. The attack largely hinges on auth codes not being one-time use, which is not a good idea, or otherwise on poor network security on the token endpoint. I’m not convinced DPoP needs to protect against these things. Is there more to this?
The proposed solutions also seem susceptible to the same problems they attempt to solve - if an attacker is somehow able to interrupt the client’s (TLS-protected) token request, why are they somehow not able to interrupt/modify the (far less protected) redirect to the authorization endpoint? — Neil > On 30 Nov 2021, at 20:15, Mike Jones > <[email protected]> wrote: > > As described during the OAuth Security Workshop session on DPoP, I created a > pull request adding the dpop_jkt authorization request parameter to use for > binding the authorization code to the client’s DPoP key. > Seehttps://github.com/danielfett/draft-dpop/pull/89 > <https://github.com/danielfett/draft-dpop/pull/89>. > > This is an alternative to https://github.com/danielfett/draft-dpop/pull/86 > <https://github.com/danielfett/draft-dpop/pull/86>, which achieved this > binding using a new DPoP PKCE method. Using this alternative allows PKCE > implementations to be unmodified, while adding DPoP in new code, which may be > an advantage in some deployments. > > Please review and comment. Note that I plan to add more of the attack > description written by Pieter Kasselman to the security considerations in a > future commit. This attack description was sent by Pieter yesterday in a > message with the subject “Authorization Code Log File Attack (was DPoP > Interim Meeting Minutes)”. > > -- Mike > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
