[Openid-specs-fapi] Issue #77: IdP Confusion Attack (openid/fapi)

Edmund Jay issues-reply at bitbucket.org
Fri Mar 17 23:00:52 UTC 2017


New issue 77: IdP Confusion Attack
https://bitbucket.org/openid/fapi/issues/77/idp-confusion-attack

Edmund Jay:

This is one of the attack cases listed in the report [SoK: Single Sign-On Security – An Evaluation of OpenID Connect](https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/oidc-security.pdf)


In this attach, the Attacker OP forces the Client to send valid "code" issued by the Honest OP to the Attacker OP.

The attacker OP returns the same "client_id" during the registration as the one registered at the Honest OP. In other words, the Client has same client_id on both OPs.
Execution.

Step 1: Attacker starts an authentication on the Client with the Honest OP. It caches the received "state" and "nonce" parameters sent to the Authentication Request. 

Step 2: Attacker starts an authentication on the Client with the Malicious OP. 

Step 3: Malicious OP receives the Authentication Request and responds with a HTTP 302 Redirect to the Honest OP. The redirect URL contains the same parameters received in the Authentication Request except the "nonce" parameter, which is replaced by the value from Step 1. 

Result Evaluation.
The attack is successful if the Malicious OP receives the "code" generated by the Honest OP in the Token Request.




More information about the Openid-specs-fapi mailing list