[Openid-specs-fapi] Issue #173: Mix-up mitigation (defence in depth) (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Tue Sep 11 08:36:05 UTC 2018

New issue 173: Mix-up mitigation (defence in depth)

Dave Tonge:

Currently some of the approaches in FAPI require the RP to validate certain parameters to detect mix-up and man-in-the-browser attacks.

For example:
- the RP must validate the `s_hash`
- the RP must check nonces
- the RP must validate the `iss` in the id_token

Another mitigation for mix-up attacks  (described in https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics) is **code-bound state**. This is where the RP sends the state param to the token endpoint when exchanging the auth code for an access token. 

I think we should consider adding this requirement in, as it allows the OP to detect some attacks even in the event of an RP that is not properly validating the above.

For what its worth, this OpenID Connect Certified Relying Party implementation (https://github.com/panva/node-openid-client) already sends `state` to the token endpoint.

More information about the Openid-specs-fapi mailing list