--- On Tue, 1/4/11, Marius Scurtescu <mscurte...@google.com> wrote: > > We need a protocol that does both authentication and > > authorization. We can take OAuth and adapt it for > > authentication, or take OpenID and adapt it for > > authorization, or combine OpenID and OAuth (great solution > > for people who love complexity) or... take the best ideas > > from OpenID and OAuth and incorporate them into a new > > protocol that's designed from the start for both > > authentication and authorization. That's one of my > > motivations for proposing PKAuth. > > Are you aware of OpenIDConnect? > > http://openidconnect.com/
I stumbled upon that page recently while doing a search, but didn't look at it in any detail because it looked like an abandoned draft, and another complicated combination of OpenID and OAuth. I've looked at it in more detail now, and I've found something interesting. The last section discusses unregistered applications, and it has a paragraph in italics that addresses the issue of how the server can identify an unregistered application to a user, which is the main issue that I'm trying to address with PKAuth: ---- quote ---- Maybe add client discovery here if the server wants to verify the redirect URL exists and is valid for the domain. Thinking you fetch https://domain/.well-known/host-meta and look for openid:redirect_uri. Also useful to get the client's display name and logo which the server can display to the user. The client would also use host-meta to advertise information needed for web browsers to help manage identity. ---- end of quote ---- In the paper I consider an attacker who owns the domain example.com and hosts an application at pomcor.example.com to trick the user into believing that it belongs to Pomcor. Both OpenID and OAuth will identify the application to the user as "pomcor.example.com" which I argue is not good enough. But OpenID Connect is much worse! OpenID Connect will identify the application to the user with a display name and a logo PROVIDED BY THE ATTACKER. So the attacker can just provide "Pomcor" as the display name and the Pomcor logo and the user is taken in. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
