[Openid-specs-fapi] Ensuring one-time use of request JWTs registered at the request JWT endpoint
vladimir at connect2id.com
Wed Aug 2 07:21:30 UTC 2017
It appears to me that one-time use of request objects registered by URI
cannot be guaranteed, unless read access to the request_uri is strictly
limited to the AS only.
Consider the following scenario:
1. Client registers request object at request_uri, one-time GET policy
is enforced, but the URL is world readable.
2. Malicious JS code in the browser GETs the request_uri
3. The authorization request will fail due to invalid request_uri
4. The malicious JS code can still re-register the request object as
many times as it wants
The statement in 7.2 may also need to be revised then:
> The request object needs to be signed for the client authentication
> and as the evidence of the client submitting the request object, which
> sometimes is called 'non-repudiation'.
If the request_uri is world readable, even if the AS takes measure to
make it hard to guess, the end-user / user agent will always be able to
get it and re-register it, which means the signature doesn't really hold
as evidence of the client submitting the request JWT.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
More information about the Openid-specs-fapi