[Openid-specs-ab] Issue #1425: Confidentiality of Self-Issued OP response (openid/connect)
chrisiba
issues-reply at bitbucket.org
Tue Feb 1 11:21:12 UTC 2022
New issue 1425: Confidentiality of Self-Issued OP response
https://bitbucket.org/openid/connect/issues/1425/confidentiality-of-self-issued-op-response
Christina Bauer:
For Self-Issued OpenID Providers as native applications, the response to the RP is not passed to the browser in a redirect, but by OS specific means. As of now, the Self-Issued OP Specification does not specify the properties required for this step.
In particular, we have problem if an attacker can register an application they control as a handler for the RP redirect\_uri on the End-Users device. Then the attacker might obtain a 'fresh' valid ID token with the RP in the audience for an identity of the End-User.
For a more detailed description, please see the writeup in the attached pdf.
More information about the Openid-specs-ab
mailing list