[Openid-specs-ab] Discovery / Security Considerations: CSRF attack on user input identifier [was Re: Spec call notes 21-Sep-15]
Vladimir Dzhuvinov
vladimir at connect2id.com
Wed Sep 23 12:16:08 UTC 2015
On 22.09.2015 03:22, Mike Jones wrote:
> Spec call notes 21-Sep-15
>
> #979 - Discovery / Security Considerations: CSRF attack on user input identifier
> This is about an attacker getting someone to do discovery on a bad discovery document
> The bad document might use a legitimate site for dynamic client registration
> The attacker then has the code and credentials to get a token at the good site
> We have to do something so that people know they have registered at the right place
> You don't current get the issuer identifier back from Registration
> John thinks we have to fix this in Registration
> It's a kind of fixation attack, which leads to a man-in-the-middle
>
I find returning the issuer URI from registration a more general
solution and therefore probably better than the original suggestion to
return the token endpoint URI.
IMO the ideal solution would not rely on the RP performing a
cross-check. I hope we can find a way where this can be detected by the OP.
--
Vladimir Dzhuvinov
More information about the Openid-specs-ab
mailing list