[Openid-specs-ab] Issue #864: Native Client code leakage (openid/connect)

John Bradley issues-reply at bitbucket.org
Thu Jul 25 14:00:19 UTC 2013

New issue 864: Native Client code leakage

John Bradley:

On iOS and other platforms tokens are returned from the browser to apps via a custom scheme URI.

On iOS atleast any app can register any scheme, and it is non deterministic what app gets called if multiple apps register the same scheme.

This leads to the possibility of codes being leaked to the wrong app.

A way around this proposed by both Ping and Google is to have the app generate a unique id for the request that is passed to the AS, and is then used as the value of the password in http basic authentication to the token endpoint.

Currently Connect has request identifier (Similar to saml:ID) called "nonce".
That could be used as the value or we could add a new parameter.
This would not work with "nonce" if the id_token is returned in the front channel , but that would be a bad idea anyway if we are concerned about interception.

If we reuse nonce then mostly we need a way for the client to know that the AS supports this, as it needs to know what the AS will be expecting as a password.

More information about the Openid-specs-ab mailing list