[Openid-specs-ab] Session Management: Security Considerations

John Bradley ve7jtb at ve7jtb.com
Thu Sep 1 21:12:49 UTC 2011 

That is what the RP should use nonce to stop.  If in the new session it creates a new nonce value,  that won't match the nonce in the id_token.

If the RP has logged the user out it should not start a new session based solely on an old id_token.

If the original user is still logged into the IdP then the attacker can probably login as you unless the RP is forcing a reauth.

In session management, we have added a logout method.  The User is redirected back to the IdP where they can logout of the IdP and stop refresh tokens from being generated.

I think RP should use the logout functionality to stop the long lived IdP session attack.  That is the biggest problem.

So the short answer is that nonce protects against the use of a id_token in a different session.  

You will probably rightly point out that needs a better explanation in the spec. 

It is also possible that Breno has something else in mind.

John B.
On 2011-09-01, at 5:36 PM, Andreas Åkre Solberg wrote:

> On 1. sep.2011, at 19:56, John Bradley wrote:
> 
>> I think you are referring to XSRF protection for the Refresh Session endpoint.
>> 
>> Check Session is a direct POST from the client to the Check Session endpoint, for a web server client that would not go through the browser.
> 
> You're right, I did a typo; I meant the refresh session endpoint (not the check session endpoint).
> 
> However, my concern was not about XSRF. (that is sort of handled by the state, right?)
> 
> My concern is that: you may log in and out again on your computer; and there may be a 'valid ID Token JWT' in your browser log (the JWT is not invalidated when you log out), which means that when I borrow your PC afterwards, I can get access to that token, and use it to update my own session (to be authenticated as you) - at the RP.
> 
> Andreas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/e7ffc90e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/e7ffc90e/attachment.p7s>

More information about the Openid-specs-ab mailing list