[Openid-specs-ab] Issue #2074: Parameter pollution with redirect_uri injection in Authorization step (openid/connect)
innotommy
issues-reply at bitbucket.org
Fri Oct 27 19:06:12 UTC 2023
New issue 2074: Parameter pollution with redirect_uri injection in Authorization step
https://bitbucket.org/openid/connect/issues/2074/parameter-pollution-with-redirect_uri
tommaso innocenti:
To whom it may concern,
I want to suggest a change in the OpenID documentation, particularly section 3.1.2.2. Authentication Request Validation.
We have researched the OAuth protocol and identified a new class of attack OPP derived from the pollution of the redirect\_uri in the Authorization request, which affected 10/16 popular IDPs.
[PAPER](https://innotommy.com/Wrong_redirect_uri_validation_in_OAuth-4.pdf)
Including an attacker code as a parameter of the redirect\_uri in the Authorization request generates an Authorization response containing double code parameters. This can cause a loginCSRF attack on the Client site.
We would like to see the specification to include a check over the redirect\_uri parameters in the Authorization request.
For example, an explicit directive to refuse requests containing a redirect\_uri with a code parameter in the Authorization request.
More information about the Openid-specs-ab
mailing list