[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

William Denniss wdenniss at google.com
Tue Apr 12 17:01:49 UTC 2016

One item that came out of the discussions on the sidelines of IETF95 with
folk from this WG (specifically Nat, Mike, John, Brian and myself) was the
need for the Connect community to respond to the recently
<http://arxiv.org/abs/1508.04324v2/> documented
<http://arxiv.org/abs/1601.01229v2/> security threats.

Connect is actually in a much stronger place for mitigating these attacks
(as noted in the papers themselves) than pure OAuth, with the id_token
offering a cryptographic binding of the code to the issuer, audience and
session identifier (nonce).

However, certain steps need to be followed, for example using 'nonce' with
the code flow (which is optional to implement for clients) to protect
against cut-and-paste, and using the form-post response type with the
hybrid flow to verify that the code was issued by the expected IdP, to
ensure the code is exchanged at the correct token endpoint (mitigating

We discussed last week creating a profile of Connect that recommends those
practices to mitigate these classes of attack as a response to the security
researchers' findings. I wanted to share that suggestion with the list, and
continue the conversation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160412/14d1034d/attachment.html>

More information about the Openid-specs-ab mailing list