Brian and I were talking about "aud" used as a parameter to the token endpoint
when using a code or refresh token to indicate what RS the resulting AT will be
used at.
Sending a audience in the AT wouldn't help prevent the attack being discussed,
though it may stop other sorts of attacks if th
Hi Phil,
I was curious how you secure the first step. If your client app is started
> by invoking a custom URL, what's to stop the attacker using that and
> passing in https://attacker.com as the desired RS and audience?
An attacker can do just as you've said -- but you didn't say which AS is
i
Josh,
I was curious how you secure the first step. If your client app is started by
invoking a custom URL, what’s to stop the attacker using that and passing in
https://attacker.com as the desired RS and audience?
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
> On Mar 16, 20
Hi Phil,
It might help me if you spelled out the phishing scenario you have in mind.
The key threat we're attempting to mitigate against with an "aud" param is:
1. Phishing link tells app to launch against RS at https://attacker.com
2. App queries https://attacker.com/metadata (this is a healthca
Josh,
I’m not sure this helps. It seems to me, a phishing link could tell your app to
launch and pass in any RS value could it not?
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
> On Mar 16, 2015, at 10:47 AM, Josh Mandel wrote:
>
> Hi Torsten,
>
> You're absolutely correct
Hi Torsten,
You're absolutely correct. The implementation we're contemplating for SMART
Platforms does indeed derive the "aud" parameter from the actual URL that
the client used to communicate with the RS. Very briefly, the flow is:
1. Electronic Health Record system tells an app to launch, passi
I don't think putting an aud into an AT will help to prevent counterfeit RSs
(as long as the aud is nit directly derived from the original URL used by the
client to invoke the counterfeit RS. as long as the aud is a symbolic name of
any kind, the counterfeit RS will accept ATs for the legitimate
We've used "aud" (optionally) with OAuth 2 and bearer tokens to help
identify the RS to whom the AT should be issued. It is useful but it's
mostly about getting format/content/etc of the AT correct for the RS rather
than it is about preventing possible AT leaks.
I do think an "aud(iance)" paramete
