Re: [OAUTH-WG] redirect uri and portals

Tue, 07 Mar 2023 07:00:46 -0800

The benefit of not storing the state of all users on the server-side is still present. The client only needs to store and use *one *key-pair for all JWTs. 

On 07.03.2023 15:57, Yannick Majoros wrote:

I'm still missing the point:
- any key used to sign or encrypt the state... is state itself
- if we can store that key (or anything, like an url to go back to after login), why bother passing the state around? 



Le mar. 7 mars 2023 à 15:07, Hannes Tschofenig 
<hannes.tschofe...@gmx.net> a écrit :


    Hi Yannick,


    Am 07.03.2023 um 14:25 schrieb Yannick Majoros:

    One possible solution: Store the redirect information in a signed
    JWT and place the JWT in the state parameter. I don't think this
    is written somewhere in the security BCP but I think this is a
    solutions used in the wild by multiple clients.


    Section 4.7.1 of the security BCP lists this solution as one
    possible countermeasure:

     *

        If|state|is used for carrying application state, and integrity
        of its contents is a concern, clients MUST
        protect|state|against tampering and swapping. This can be
        achieved by binding the contents of state to the browser
        session and/or signed/encrypted state values as discussed in
        the now-expired draft[I-D.bradley-oauth-jwt-encoded-state
        
<https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt>].¶
        
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7.1-3.2.1>


    The referenced draft has, however, expired:
    https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt


    Ciao

    Hannes






--
Yannick Majoros
Valuya sprl


--
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:    https://hackmanit.de  | IT Security Consulting, Penetration Testing, 
Security Training

Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of 
RuhrSec - the IT security conference in Bochum:https://www.ruhrsec.de/2023

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
Christian Mainka, Prof. Dr. Marcus Niemietz




Attachment:
OpenPGP_0x4535C0E7DB16F148.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth























					Reply via email to