But that's cut-n-paste protection using "state" token endpoint parameter,
is it not?

2016年1月29日(金) 14:14 Phil Hunt (IDM) <phil.h...@oracle.com>:

> We discussed that redirecr helps but we wanted the Token endpoint to also
> be able to detect assuming many client devs won't implement the check.
>
>
> Phil
>
> On Jan 28, 2016, at 20:54, Nat Sakimura <sakim...@gmail.com> wrote:
>
> My preferred way of dealing with mix-up has been to use separate
> redirection URI but your using issuer instead is for the backward
> compatibility?
>
> Nat
>
> 2016年1月29日(金) 2:53 John Bradley <ve7...@ve7jtb.com>:
>
>> Yes,  I note either mitigation in draft-jones-oauth-mix-up-mitigation-01
>> will stop this attack.
>>
>> White listing AS seems tempting, but is just sweeping the problem
>> partially under the rug.
>> There are probably good policy reasons to whitelist AS but
>> we shouldn’t let this AS mixup be one of them.
>>
>> John B.
>>
>> On Jan 27, 2016, at 10:42 PM, Nat Sakimura <sakim...@gmail.com> wrote:
>>
>> I see. That's like double cut-n-paste.
>>
>> I tried to capture this case of used-to-be-good AS turning Compromised AS
>> (Log leaking AS) in a sequence diagram: http://j.mp/1QtDeKD
>>
>> Given this, just relying on not using random AS is not good enough. You
>> would probably require AS w/ISMS with the policy of not logging un-masked
>> credentials and has strict access control on the log ;-)
>>
>> Nat
>>
>> 2016年1月28日(木) 9:38 Hans Zandbelt <hzandb...@pingidentity.com>:
>>
>>> indeed, if the attacker is able to phish the user, he can put up a
>>> script that first triggers the authorization request to the compromised
>>> AS (i.e. the AS at which he has access to the logs and gathers the state
>>> value from) through the Client, and subsequently trigger the redirect to
>>> the good AS using an auto-refresh of that same phishing page (with the
>>> stolen state value); no need to control the authorization endpoint of
>>> the compromised AS itself
>>>
>>> Hans.
>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to