Hi Warren, this is described in detail in the linked paper on page 31 if you need further clarification.
Aaron On Wed, Jun 14, 2023 at 7:36 AM Warren Parad <wparad= [email protected]> wrote: > That doesn't make sense to me. > > On Wed, Jun 14, 2023, 21:31 Daniel Fett <fett= > [email protected]> wrote: > >> Hi Alexander, >> Am 14.06.23 um 15:19 schrieb Alexander Rademann: >> >> *Hello, everyone! Section 4.4.1 of the BCP >> <https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html#section-4.4.1> >> draft lists several variants of mix-up attacks; the description of the >> Implicit grant variant reads as follows: "In the implicit grant, the >> attacker receives an access token instead of the code; the rest of the >> attack works as above." Given the attack description in that section, it is >> not clear to me why an attacker would receive the access token and which >> part the "rest of the attack" refers to. When the Implicit grant is used, >> H-AS sends the access token (via redirect) to the user agent, which >> extracts it and sends it to the client. However, the client does not send >> the access token to A-AS, does it? (I hope that I didn’t overlook anything >> in that section.)* >> >> * I also checked the referenced paper <https://arxiv.org/abs/1601.01229>; >> there, the authors assume that the access token is sent to the >> authorization server under the control of the attacker (or, using their >> terminology, identity provider) to access some resource. [Appendix B, p. >> 31ff] Perhaps this (or some similar) assumption should be added to the >> description of this variant?* >> >> The underlying assumption is that when then user selected to use A-AS in >> the beginning, the access token would also be used with a Resource Server >> under the attacker's control. >> >> -Daniel >> >> >> * I'm sorry if I missed anything or if this has already been addressed >> before, I'm new to this mailing list and did not find anything in the >> archives. Kind regardsAlex* >> >> _______________________________________________ >> OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
