An issue was filed in the OpenID Connect repository at https://bitbucket.org/openid/connect/issues/2074/parameter-pollution-with-redirect_uri that the working group believes is actually about OAuth and not specific to OpenID Connect. The description of the issue is:
We have researched the OAuth protocol and identified a new class of attack OPP derived from the pollution of the redirect_uri in the Authorization request, which affected 10/16 popular IDPs. PAPER<https://innotommy.com/Wrong_redirect_uri_validation_in_OAuth-4.pdf> Including an attacker code as a parameter of the redirect_uri in the Authorization request generates an Authorization response containing double code parameters. This can cause a loginCSRF attack on the Client site. We would like to see the specification to include a check over the redirect_uri parameters in the Authorization request. For example, an explicit directive to refuse requests containing a redirect_uri with a code parameter in the Authorization request. I'm curious to hear people's analysis of this and whether, for instance, there's guidance that we should add to the OAuth Security BCP. -- Mike
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
