[Openid-specs-ab] Session Management: Security Considerations
Andreas Åkre Solberg
andreas.solberg at uninett.no
Thu Sep 1 06:50:46 UTC 2011
On 31. aug. 2011, at 19:22, Breno de Medeiros wrote:
> The check session endpoint MUST validate browser session matches the id_token.
I probably did not explain my point very well. Let me try again.
This does not even need to include the check session endpoint to perform the attack.
The issue I'm referring to is the combination of leaking ID Token to the browser history log
(something that could happen with the check session request)
and
accepting a new ID Token as an incoming front-channel request.
(something that is done with the check session response)
The attacker would first need to obtain a ID Token for a another user, then establish a session at the RP as him self, and then make the RP issue a check session request. The reason that it needs it to generate a check session request is that the RP then presents a state; which makes it easy for the attacker to craft a valid response (without being in contact with the check session endpoint) by combing this state parameter with the id token jwt found in the browser cache.
This attack would not be possible if the RP did a comparison of the user_id in the check session request and the response.
And BTW; if "The check session endpoint MUST validate browser session matches the id_token."
you should add that the to spec. In addition you have to explain what it mean to validate a browser session against an id_token. As there is no session identifiers involved in openid connect, I must admit it is not totally clear to me how that can be done. Should in example the provider cache all issued ID Tokens (or hashes of them)? Or is the session concept intensionally dropped, and comparing the user_id and authentication level is sufficient for comparing a ID Token with a 'browser session'.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/bdf8600b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4448 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/bdf8600b/attachment.p7s>
More information about the Openid-specs-ab
mailing list