*Hello, everyone!Section 4.4.1 of the BCP <https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html#section-4.4.1> draft lists several variants of mix-up attacks; the description of the Implicit grant variant reads as follows: "In the implicit grant, the attacker receives an access token instead of the code; the rest of the attack works as above."Given the attack description in that section, it is not clear to me why an attacker would receive the access token and which part the "rest of the attack" refers to. When the Implicit grant is used, H-AS sends the access token (via redirect) to the user agent, which extracts it and sends it to the client. However, the client does not send the access token to A-AS, does it? (I hope that I didn’t overlook anything in that section.)*
*I also checked the referenced paper <https://arxiv.org/abs/1601.01229>; there, the authors assume that the access token is sent to the authorization server under the control of the attacker (or, using their terminology, identity provider) to access some resource. [Appendix B, p. 31ff] Perhaps this (or some similar) assumption should be added to the description of this variant?I'm sorry if I missed anything or if this has already been addressed before, I'm new to this mailing list and did not find anything in the archives.Kind regardsAlex*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
