[Openid-specs-fapi] Issue #534: Authorization Request Leaks lead to CSRF (openid/fapi)

Daniel Fett issues-reply at bitbucket.org
Thu Aug 4 08:10:53 UTC 2022 

New issue 534: Authorization Request Leaks lead to CSRF
https://bitbucket.org/openid/fapi/issues/534/authorization-request-leaks-lead-to-csrf

Daniel Fett:

![](https://bitbucket.org/repo/K7gLBb/images/3426913584-Screenshot_20220804_100805.png)
![](https://bitbucket.org/repo/K7gLBb/images/1484905304-Screenshot_20220804_100835.png)
‌

My take on this:

* This kind of CSRF can happen in all redirect-based flows unless there would be browser features used that guarantee source and destination of redirects.

    * Solutions with postMessage are conceivable, but complicated and AFAIK not used anywhere
    * Token binding would have been another solution.
    
* We should document and explain the attack
* For the analysis: Accept that if authorization request leaks, session integrity is broken.

‌

More information about the Openid-specs-fapi mailing list