[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

Roland Hedberg roland at catalogix.se
Thu Aug 11 07:40:08 UTC 2016


> 10 aug. 2016 kl. 09:42 skrev Adam Dawes via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> 
> I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC. 
> 
> But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.

Count me in !
In the RP library test tool we’re developing there are some specific JWT validation tests.
There is no such tests in the OP test suite, could be added though.

> The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.
> 
> On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH” <https://www.blackhat.com/us-16/briefings.html#1000-ways-to-die-in-mobile-oauth>
>  
> 
> Says:
> 
>  
> 
> >  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
> 
> > [..snip..]
> 
> > “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
> 
>  
> 
> Maybe we should dig in.
> 
>  
> 
> --
> 
> PLEASE READ :This e-mail is confidential and intended for the
> 
> named recipient only. If you are not an intended recipient,
> 
> please notify the sender  and delete this e-mail.
> 
>  
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> 
> 
> 
> -- 
> Adam Dawes | Sr. Product Manager | adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160811/3c5e2e69/attachment.html>


More information about the Openid-specs-ab mailing list