[Openid-specs-ab] Scope Attack
John Bradley
ve7jtb at ve7jtb.com
Thu Apr 21 20:01:28 UTC 2011
I think it is a IdP UI issue. The grant of a user-ID token needs to be clearly separated from the user info endpoint grant and other grants.
I don't know how far we want to go with being specific about UI. I would be tempted to recommend that the UI be granular enough to allow individual scopes to be denied.
Personally I don't give Facebook enabled apps access because I don't have a way to turn off posting to my feed when they ask for a bunch of grants.
I think it probably should be left up to the IdP to decide on the best interface.
John B.
On 2011-04-21, at 12:57 PM, Nat Sakimura wrote:
> Hi.
>
> I was tweeting with a friend of mine in Japanese about attacker disguising to be just requesting authentication and a bit more and in fact getting fairly large access privilege.
>
> For example, let the client request scope=openid%20readwirte saying that "Please login by clicking this button" or login icon.
> The use is redirected to the client and presses OK without reading about what you are about to give up.
> He is just thinking that it is authentication - not a big deal, and only at a later date that something is massively wrong.
>
> What can we do to mitigate this problem?
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110421/f5f435e5/attachment.html>
More information about the Openid-specs-ab
mailing list