[Openid-specs-ab] Discovery security considerations.

John Bradley ve7jtb at ve7jtb.com
Thu Dec 19 19:07:35 UTC 2013

Section  7.2 Provider Configuration Request

TLS certificate checking MUST be performed by the client when making a Provider Configuration Request.   Checking that the server certificate is valid for the issuer URI, prevents man in the middle or DNS based attacks.  These attacks may cause a client to be tricked into accepting an attackers keys and endpoints to impersonate a legitimate issuer.   If an attacker can do this, they can access accounts of any users already created at affected client that have subjects scoped to the issuer they are impersonating.

Section  7.3 Client configuration of Issuer Endpoints & Keys

An AS may attempt to impersonate another AS by publishing a Discovery document that contains a issuer claim containing the issuer URL of another issuer as the value, but with it's own endpoints and signing keys.  This would allow it to issue issue id_tokens as that issuer.   To prevent this clients MUST ensure that the issuer URL they are discovering exactly matches the value of issuer claim in the provider metadata document retrieved by the client.  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131219/83c3eb3b/attachment.p7s>

More information about the Openid-specs-ab mailing list