V51, Verify usage of the "iss" parameter in by the authorization server #2095
Comments
For this proposed requirement I think we should not go to the functionality testing field. We also don't have a requirement a'la verify that the "state" value is presented in the access token or something like that, although this is a pre-condition to implement some other requirement. We also have issues like:
I think those issues should be solved together with the focus to "Verify that there is defense against mixup-attacks." |
elarlang
added
the
1) Discussion ongoing
|
Note, this is about Authorization Server Issuer Identification. |
Yes. It would probably be good to explicitly mention that the authorization server should include the "iss" in some way or another (possibly as part of a more general verification). |
|
So, as I said, I prefer to not go to the AS functionality testing field with a separate requirement, so I try to "inject" this need into to the current/replacement for 51.3.1
(validating it can be technically more descriptive) |
|
I would add: Verify that if the OAuth Client can interact with more than one authorization server it has a defense against mix-up attacks, for example, by requiring that the authorization server returns the 'iss' parameter value and validating it in both in the authorization response and in the token response. |
|
And if you want an even more beefy version of this, consider the text before. Clients that can interact with more than one auth server should also verify the client id. Verify that if the OAuth Client interacts with more than one authorization server, it implements defense mechanisms against mix-up attacks. For example, the client should require that the authorization server includes the 'iss' (issuer) parameter in both the authorization response and token response. The client must then validate that the 'iss' value matches the expected authorization server to prevent confusions between different servers. Additionally, consider verifying the client_id and other key parameters to further strengthen security, as recommended in RFC 9207. |
|
I think all 3 suggestions would work, but perhaps this (from @jmanico) aligns best with detail-level in other OAuth requirements?
|
elarlang
added
the
4) proposal for review
|
Slightly modifed:
|
elarlang
added
the
5) awaiting PR
|
Will be updated via #2095
|
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
Currently there is this verification:
i.e. if the "iss" parameter is included in the authorization response the client must check it. By the client can proceed if the "iss" parameter is missing.
However, there is no verification for making sure that the authorization server actually included this parameter in the authorization response.
Why is this important: Verification of the issuer mitigates mix-up attacks as described in draft-ietf-oauth-security-topics-27.
Proposition:
This is not strictly necessary if the authorization server knows that the client will never talk to another authorization server but is it helpful to include this exception?
The text was updated successfully, but these errors were encountered: