[Openid-specs-fapi] Ensuring one-time use of request JWTs registered at the request JWT endpoint

Vladimir Dzhuvinov vladimir at connect2id.com
Wed Aug 2 07:21:30 UTC 2017

It appears to me that one-time use of request objects registered by URI
cannot be guaranteed, unless read access to the request_uri is strictly
limited to the AS only.

Consider the following scenario:

1. Client registers request object at request_uri, one-time GET policy
is enforced, but the URL is world readable.
2. Malicious JS code in the browser GETs the request_uri
3. The authorization request will fail due to invalid request_uri
4. The malicious JS code can still re-register the request object as
many times as it wants

The statement in 7.2 may also need to be revised then:


> The request object needs to be signed for the client authentication
> and as the evidence of the client submitting the request object, which
> sometimes is called 'non-repudiation'. 

If the request_uri is world readable, even if the AS takes measure to
make it hard to guess, the end-user / user agent will always be able to
get it and re-register it, which means the signature doesn't really hold
as evidence of the client submitting the request JWT.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170802/5f7c8572/attachment.p7s>

More information about the Openid-specs-fapi mailing list