[Openid-specs-ab] Issue #1058: sector_identifier_uri should have a /.well-known/ path (openid/connect)
issues-reply at bitbucket.org
Thu Nov 29 04:48:08 UTC 2018
New issue 1058: sector_identifier_uri should have a /.well-known/ path
The content of a sector_identifier_uri gives each listed app permission to receive pairwise identifiers for a particular domain (the domain of the sector_identifier_uri).
There should only be 1 URI for a domain that can convey this permission for the domain. That is, we should pick a well-known path [RFC 5785 Defining Well-Known URIs]. I suggest:
Otherwise, an attacker can get permission to receive a domain's pairwise ids by finding any web address on the domain that will return the attacker's redirect_uri (or a redirect to a site that can list the attacker's redirect_uri).
An interim protection that OPs could implement is to reject a client registration if it has a sector_identifier_uri that has a different path but is in the domain as another client.
More information about the Openid-specs-ab