: Benjamin Häublein
Cc: oauth@ietf.org
Betreff: Re: [OAUTH-WG] PAR and client authentication
Hi,
I can’t see how client authentication prevents request tampering.
Best,
Nikos
On 29 Nov 2024, at 2:55 PM, Benjamin Häublein
mailto:benjamin.haeubl...@cirosec.de>> wrote:
Hi,
the goal of PAR
Hi,
the goal of PAR is to protect the parameters of the authorization request from
tampering.
If there is no authentication of the client anybody could push an authorization
request, and nothing would be gained. Thus, client authentication is required.
Best regards,
Benjamin
Von: Nikos Fotiou
ve client.
To reach such a state, an attacker could trick the user into starting the
authorization grant but clicking the malicious link before the authorization
response is sent.
Best Regards,
Benjamin Häublein
Senior Consultant
cirosec GmbH
Ferdinand-Braun-Strasse 4
74074 Heilbronn
Germany
Phone
‘code_verifier’ for the original authorization request.
When the AS behaves as described the client has no way to know that an attacker
has interfered.
Best Regards,
Benjamin Häublein
Von: George Fletcher
Gesendet: Dienstag, 4. Januar 2022 14:51
An: Benjamin Häublein ; oauth@ietf.org
Be
elies
on PKCE for CSRF protection must always include a code_verifier parameter in
the token request (even if no code_verifier is present on the client side).
Best regards,
Benjamin Häublein
Senior Consultant
cirosec GmbH
Ferdinand-Braun-Strasse 4
74074 Heilbronn
Germany
Phone: +49 (7131) 5
