[Openid-specs-mobile-profile] minutes of MODRNA WG Call Jan 13th 2016

philippe.clement at orange.com philippe.clement at orange.com
Thu Jan 14 11:01:08 UTC 2016

(to Torsten: please provide these minutes to the list)

Dear all,

Please find below the preliminary notes of our call on Jan 13th 2016.
In case of error or misunderstanding, please let me know.

Participants: Nat, Matthieu, Torsten, Roland, Gonzalo, Sebastian, Philippe

1-      Feedback on the authentication document
2-      debriefing on security issues

-       Feedback awaited from the list on the authentication document
-       Inform GSMA of the security work

1-      Authentication document
Torsten explains that the focus has been put on authentication document for priority reasons, having in mind providing GSMA with the result and MWC 2016
The registration specs , concerning the whole lifecycle and registration will follow. (Roland interested in doing OIDC in federations)

Feedbacks are awaited for this document. Torsten and Philippe have provided their comments/suggestions on the doc.

2-      Security issues
a.      New kind of OAuth Attack
Information published on a German website (initiated by a German university) describing a new kind of attack (on OAuth2), involving the discovery phase.

In a nutshell, a client thinks he is talking to an IdP, in fact he is talking to another IdP or to an endpoint of the other IdP. Kind of a "man in the middle" attack
A workshop has started on this concern, talks in IETF too with Torsten and Nat, countermeasures are being developed, mainly by applying the authentication of the redirection issuer.
These countermeasures will be standardized in the concerned protocols (OAuth, OIDC if needed).

Nat: We discussed of this issue in IETF. Solution could be in the code flow to return the URI of the token endpoint

b.      injection of code in the code flow
Principle: When an attacker obtains the code, he can impersonate a user.
Relevant for Mobile Connect (as MC uses code flow)

John Bradley is working on the countermeasure, will be discussed in the next call

GSMA will be informed of these security issues and of the work on progress

Kind regards,


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160114/a33e5a26/attachment.html>

More information about the Openid-specs-mobile-profile mailing list