[Openid-specs-ab] Issue #1058: sector_identifier_uri should have a /.well-known/ path (openid/connect)

James Manger issues-reply at bitbucket.org
Thu Nov 29 04:48:08 UTC 2018


New issue 1058: sector_identifier_uri should have a /.well-known/ path
https://bitbucket.org/openid/connect/issues/1058/sector_identifier_uri-should-have-a-well

James Manger:

The content of a sector_identifier_uri gives each listed app permission to receive pairwise identifiers for a particular domain (the domain of the sector_identifier_uri).

There should only be 1 URI for a domain that can convey this permission for the domain. That is, we should pick a well-known path [RFC 5785 Defining Well-Known URIs]. I suggest:

  https://<domain>/.well-known/openid/apps.json

Otherwise, an attacker can get permission to receive a domain's pairwise ids by finding any web address on the domain that will return the attacker's redirect_uri (or a redirect to a site that can list the attacker's redirect_uri).

An interim protection that OPs could implement is to reject a client registration if it has a sector_identifier_uri that has a different path but is in the domain as another client.




More information about the Openid-specs-ab mailing list