Hi,
we would like to request the inclusion of _in-browser communication
security considerations_ in the OAuth security topics.
We found that in-browser communications like the postMessage API is
widely used by Clients and Authorization Servers as an alternative to
the standardized HTTP redirects.
If these techniques are used insecurely, OAuth token leaks and
injections are possible.
We publish our results soon at ACM CCS in November 2022.
The paper is accessible [1].
We think that the paragraph about in-browser communications should be
added to the security topics.
We created a pull request [2] to help developers in understanding the
risks and best practices of using in-browser communications in OAuth.
We are happy to discuss the idea here or directly in the pull request.
Best regards
Christian
[1]: "DISTINCT: Identity Theft using In-Browser Communications in
Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf
[2]: https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53
--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr University Bochum, Germany
Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany
Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
https://nds.rub.de/chair/people/cmainka/
@CheariX
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
