[Openid-specs-ab] 1-click account hijack for anyone using Google sign-in with Gitlab, due to response-type switch + leaking to gitlab-api.arkoselabs.com that has XSS
Nat Sakimura
nat at nat.consulting
Tue Jul 25 02:23:15 UTC 2023
There are valid use cases for front channel ID Tokens as I understand
unlike in the case of access tokens.
2023年7月25日(火) 10:23 David Waite <david at alkaline-solutions.com>:
> If OIDC 1.1 removed implicit, could we not just require PKCE and align
> with OAuth 2.1 work?
>
> -DW
>
> On Jul 24, 2023, at 6:01 PM, Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> For those of you who are in IETF, hope you are having good time.
> Here is a vulnerability reported by Frans Rosén
> https://gitlab.com/gitlab-org/gitlab/-/issues/362394
> and
> https://user-content.gitlab-static.net/36d11caeb269229319a2912b9719ed1d55ec1af9/68747470733a2f2f68312e7365632e6769746c61622e6e65742f612f35616565376137322d643935372d343265652d393631652d3362393436613564323538642f6769746c61622d68696a61636b2e6d7034
> Maybe we should make nonce mandatory in OpenID Connect 1.1.
> Also, stronger recommendations on the use of request objects.
> Best,
>
> Nat Sakimura
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230725/70fc316b/attachment-0001.html>
More information about the Openid-specs-ab
mailing list