[Openid-specs-ab] Omitting an origin_uri in the OP session_state calculation
Todd W Lainhart
lainhart at us.ibm.com
Tue Jan 28 16:02:13 UTC 2014
https://bitbucket.org/openid/connect/issue/915/session-42-computation-of-op-session_state
describes how the origin URI available in the client-side PostMessage call
to the OP's session iframe must also be made available to the OP when the
session_state parameter is calculated in the auth_code flow.
Can someone describe the opportunity for exploit should the origin_uri
*not* be included in the session_state computation?
In other words, in the OP session/JS code excerpted from the spec below,
what exploit opportunities are opened if the session_state computation on
both server and client did not include an e.origin value (which I've
commented out below)?
// Here, the session_state is calculated in this particular way,
// but it is entirely up to the OP how to do it under the
// requirements defined in this specification.
var ss = CryptoJS.SHA256(client_id + ' ' + /*e.origin + ' '*/ +
opbs + [' ' + salt]) [+ "." + salt];
Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140128/6afa3344/attachment.html>
More information about the Openid-specs-ab
mailing list