[OAUTH-WG] Browser-Swapping

"Primbs, Jonas" <jonas.primbs@uni-tuebingen.de> Tue, 04 November 2025 04:09 UTC

From: "Primbs, Jonas" <jonas.primbs@uni-tuebingen.de>
To: oauth <oauth@ietf.org>
Thread-Topic: Browser-Swapping
Thread-Index: AQHcTUDTZ7fIraDJFUye4l1Hrk/iHg==
Date: Tue, 04 Nov 2025 04:09:34 +0000
Message-ID: <F032F35A-D55E-40A7-8589-3DD64BF8F7A0@uni-tuebingen.de>
Accept-Language: de-DE, en-US
Content-Language: en-US
Content-Type: multipart/signed; boundary="Apple-Mail=_A4A4BA19-3161-4392-9948-E1D86B7A7532"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: EP3E2REL3RCHYTHQZSFMMRC4BSMKBHN2
Precedence: list
Subject: [OAUTH-WG] Browser-Swapping
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K8Wnw08GzPstyAQAh0JmSB47pOQ>

Hi all,

according to Aaron’s recommendation, I have created a PR for OAuth 2.1: https://github.com/oauth-wg/oauth-v2-1/pull/230

It references OpenID Connect’s response modes (fragment and form_post) as solutions for Browser-Swapping attacks, which I have presented in today’s OAuth WG meeting.
If you have missed my presentation, but are still interested, here are my slides: https://datatracker.ietf.org/meeting/124/materials/slides-124-oauth-sessa-browser-swapping-01

I’m interested in your feedback on this first draft, which currently covers only recommendation #2 from my slides, because this is probably the least controversial change.
If you are attending onsite, also feel free to speak to me in the hallway. My company gave me enough of the „No, PKCE…“ t-shirts for the rest of the week, so that it’s easier for you to find me. @Brian & Mike: I have learned from the best ;-)

Greetings,
Jonas


Jonas Primbs M.Sc.
University of Tübingen
Faculty of Science
Department of Computer Science
Sand 13, 72076 Tübingen, Germany
Tel.: (+49) 7071 / 29-70512
Mail: jonas.primbs@uni-tuebingen.de
Web: https://kn.inf.uni-tuebingen.de

Attachment: smime.p7s

[OAUTH-WG] Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Neil Madden
[OAUTH-WG] Re: Browser-Swapping Filip Skokan
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Neil Madden
[OAUTH-WG] Re: Browser-Swapping Vladimir Dzhuvinov | Connect2id
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Dick Hardt
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Thomas Broyer
[OAUTH-WG] Re: Browser-Swapping Max Gerber
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Filip Skokan
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Filip Skokan
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Neil Madden
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Tim Würtele
[OAUTH-WG] Re: Browser-Swapping Max Gerber
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Philippe De Ryck
[OAUTH-WG] Re: Browser-Swapping Neil Madden
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Aaron Parecki
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Neil Madden
[OAUTH-WG] Re: Browser-Swapping Aaron Parecki
[OAUTH-WG] Re: Browser-Swapping Max Gerber
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Frederik Krogsdal Jacobsen
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Philippe De Ryck
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Warren Parad
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Thomas Broyer
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Thomas Broyer
[OAUTH-WG] Re: Browser-Swapping Will Bartlett
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Logan Widick
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping kcloud
[OAUTH-WG] Re: Browser-Swapping Aaron Parecki
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Logan Widick
[OAUTH-WG] Re: Browser-Swapping Primbs, Jonas
[OAUTH-WG] Re: Browser-Swapping Warren Parad

[OAUTH-WG] Browser-Swapping

Attachment: smime.p7s