Hi all,
I prefer to use draft-jones-oauth-mix-up-mitigation-01 as starting point
simply because it gives some description of the threats we need to cope
with. This does not preclude to eventually use
draft-sakimura-oauth-meta-07 as solution or any other suitable
mechanisms we find consensus on.
In my opinion, both proposals (iss and meta data) are very similar on a
conceptual level as they inform the client about the sender of the
redirect. iss could nicely fit with the upcoming OAuth AS discovery,
whereas meta is appealing if we want a mechanism, which always keeps the
client informed where it is considered secure to obtain/use credentials
(tokens, codes, ...).
Beside this, I would like to emphasize again that code injection/copy
and paste is not related to idp mix up (even if we discussed both in the
same workshop). Even traditional OAuth deployments (single AS) are
potentially affected by the attack. I suggest to split the draft into
separat documents per threat/mitigation and move forward mitigation
against code injection as quickly as possible. The current proposal to
tie the authz code to the client state seems a pretty simple and
straightforward solution to me.
kind regards,
Torsten.
Am 19.02.2016 um 20:42 schrieb Hannes Tschofenig:
Early February I posted a mail to the list to make progress on the
solution to the OAuth Authorization Server Mix-Up problem discovered
late last year.
Here is my mail about the Authorization Server Mix-Up:
http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html
Here is my mail to the list that tries to summarize the discussion
status and asked a few questions:
http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html
Unfortunately, my mail didn't lead to the intended success. While there
was some feedback I wasn't getting the desired response.
In order to move forward I believe we need a working group document that
serves as a starting point for further work in the group*. We have two
documents that provide similar functionality in an attempt to solve the
Authorization Server Mix-Up problem.
So, here is the question for the group. Which document do you want as a
starting point for work on this topic:
-- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John Bradley
Link:
https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
-- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and
Sascha Preibisch
Link:
https://tools.ietf.org/html/draft-sakimura-oauth-meta-07
Deadline for feedback is March, 4th.
Ciao
Hannes & Derek
PS: (*) Regardless of the selected solution we will provide proper
acknowledgement for those who contributed to the work.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
