Hi Mike,
I really like the new revision since it is much simpler :-)
My comments:
I'm fine with describing all mitigations we talked about in Darmstadt in
one/this spec. But the state check at the tokens endpoint is supposed to
be a mitigation against code injection/cut and paste attack, which is
not directly related to IDP/AS mix up. So I would suggest to change the
name of the spec, probably "OAuth security extensions"?
I think the code injection/cut and paste attack should be described more
extensively in the introduction. It's important for the reader to
understand, why this mitigation is defined at all. Moreover, I think the
description of the mitigation is still incomplete/spread over the
document. In order to detect code injection, the RP not only needs to
send the state to the tokens endpoint, it also needs to (directly or
indirectly) _bind_ the state to the particular user agent (session).
Otherwise, the attacker can inject the state along with the solen code
easily. I would suggest to merge
"To prevent replay of the state in another browser instance by
an attacker, the state value MUST be tied to the browser instance in a
way that cannot be forged by an attacker. Section 4 of
[I‑D.bradley‑oauth‑jwt‑encoded‑state]
provides several examples of how a client can accomplish this."
into section 5.
I thought we had discussed to also give implementors a guideline on
using state to prevent CSRF as well? How will we take care of that topic?
kinds regards,
Torsten.
Am 21.01.2016 um 07:28 schrieb Mike Jones:
John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up
Mitigation draft. Changes were:
·Simplified by no longer specifying the signed JWT method for
returning the mitigation information.
·Simplified by no longer depending upon publication of a discovery
metadata document.
·Added the “state” token request parameter.
·Added examples.
·Added John Bradley as an editor.
The specification is available at:
·http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
An HTML-formatted version is also available at:
·http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html
-- Mike
P.S. This note was also posted athttp://self-issued.info/?p=1526 and
as @selfissued <https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
