[Openid-specs-fapi] Issue #194: Security considerations when two (oauth-mtls?) clients use same key (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Wed Dec 5 14:20:50 UTC 2018
New issue 194: Security considerations when two (oauth-mtls?) clients use same key
https://bitbucket.org/openid/fapi/issues/194/security-considerations-when-two-oauth
Joseph Heenan:
As raised on today's call we may need to explicitly call out the security considerations of multiple clients sharing the same TLS client (or I guess private_key_jwt) private key.
Using keys in this manner may open extra attacks if the different clients have different permissions (e.g. one is read only or one is read write) or if one client is significantly more popular, allowing access tokens from the popular client to be used by comprising the less-popular (and potentially less well secured).
More information about the Openid-specs-fapi
mailing list