<div dir="ltr">Hi Ryo, <div><br></div><div>So, are you concerned with the client not generating proper random secret or state? </div><div>Yes, generating a proper random is actually kind of hard. So generating it at the server makes kind of sense. </div>
<div>At the same time, I am a bit concerned about the increased attack surface and the server load. </div><div><br></div><div>What do others think of the idea? </div><div><br></div><div>Nat</div><div><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">2013/7/29 Ryo Ito <span dir="ltr"><<a href="mailto:ritou.06@gmail.com" target="_blank">ritou.06@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Hi,</div><div><br></div><div>I have an idea like this.</div><div><br></div><div>OAuth CSRF Protection Extension</div><div><br></div><div><a href="http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent" target="_blank">http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent</a></div>

<div><br></div><div>(There is not draft specifications about this yet.)</div><div><br></div><div>About confidential clients, there are clients who has risk of CSRF without using the state parameter correctly, but it is not easy for server to detect these clients.</div>

<div>I think that the string of tcs( and tcsh) in your specifications should be generated on the Server-side.<br></div><div><br></div><div>Ryo.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/29 Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span><br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">As some of you knows, passing the code securely to a native app on iOS platform is next to impossible. Malicious application may register the same custom scheme as the victim application and hope to obtain the code, whose success rate is rather high. <div>


<br></div><div>We have discussed about it during the OpenID Conenct Meeting at IETF 87 today, and I have captured the discussion in the form of I-D. It is pretty short and hopefully easy to read. </div><div><br></div><div>


You can find it at: </div><div><br></div><div><a href="https://bitbucket.org/Nat/drafts/src/" target="_blank">https://bitbucket.org/Nat/drafts/src/</a></div><div><br></div><div>Comments are welcome. </div><span><font color="#888888"><div>

<div><br></div>-- <br>Nat Sakimura (=nat)<div>
Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div></font></span></div>
<br></div></div><div class="im">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></div></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>====================<br>Ryo Ito<br>Email : <a href="mailto:ritou.06@gmail.com" target="_blank">ritou.06@gmail.com</a><br>
====================
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>