[Openid-specs-ab] Transient Client Secret Extension for OAuth

Ryo Ito ritou.06 at gmail.com
Mon Jul 29 06:56:58 UTC 2013


Hi,

I have an idea like this.

OAuth CSRF Protection Extension

http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent

(There is not draft specifications about this yet.)

About confidential clients, there are clients who has risk of CSRF without
using the state parameter correctly, but it is not easy for server to
detect these clients.
I think that the string of tcs( and tcsh) in your specifications should be
generated on the Server-side.

Ryo.


2013/7/29 Nat Sakimura <sakimura at gmail.com>

> As some of you knows, passing the code securely to a native app on iOS
> platform is next to impossible. Malicious application may register the same
> custom scheme as the victim application and hope to obtain the code, whose
> success rate is rather high.
>
> We have discussed about it during the OpenID Conenct Meeting at IETF 87
> today, and I have captured the discussion in the form of I-D. It is pretty
> short and hopefully easy to read.
>
> You can find it at:
>
> https://bitbucket.org/Nat/drafts/src/
>
> Comments are welcome.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
====================
Ryo Ito
Email : ritou.06 at gmail.com
====================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130729/13efc7ce/attachment.html>


More information about the Openid-specs-ab mailing list