Hi, We just had a discussion in Stuttgart on the possibility of misconfigured endpoints, i.e., an honest client uses the wrong endpoints for interacting with some honest AS. Such a setting might be the outcome of a social engineering attack against the administrators of a client (e.g., the attacker disguises as an AS support agent and convinces the client admin that some endpoint needs to be changed). If some endpoint is configured to a URL controlled by some adversary, critical data can leak and the attacker can even tamper with the requests to this endpoint.
Is this a realistic attack scenario? Does anybody have more insight or data on this problem? (I think that such a scenario had been mentioned at some OSW discussion.) A potential mitigation against this problem could be the usage of AS metadata discovery (RFC8414). In this case, the client only needs to set the "issuer" to configure the endpoint URLs. A social engineering attack to change the issuer might be less likely as a social engineering attack to change some endpoint URLs (which a client admin might have less understanding of). Further, using AS metadata discovery also reduces the risk of misconfiguration at the client in general. Maybe it is a good idea to add a recommendation for the usage of RFC8414 in the security BCP. What do you think? Regards, Guido _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
