Re: [OAUTH-WG] Call for Adoption Wed, 27 January 2016 10:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 82C751A0381 for <>; Wed, 27 Jan 2016 02:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.333
X-Spam-Status: No, score=-0.333 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o5h857-1793k for <>; Wed, 27 Jan 2016 02:30:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 84CE81A037F for <>; Wed, 27 Jan 2016 02:30:24 -0800 (PST)
Received: from localhost (localhost []) (uid 33) by with local; Wed, 27 Jan 2016 10:31:04 +0000 id 0000000000086F08.0000000056A89C68.0000469D
To: Hans Zandbelt <>
X-PHP-Originating-Script: 0:rcmail.php
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Wed, 27 Jan 2016 19:31:04 +0900
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Message-ID: <>
User-Agent: Roundcube Webmail/0.9.5
Archived-At: <>
Subject: Re: [OAUTH-WG] Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jan 2016 10:30:25 -0000

Hi Hans,

Sorry, I mixed up the IdP mix-up attack and the code phishing attack.

Mandating the Authorization and Token Endpoint being in the same
authority would solve the later without changing the wire protocol.

For AS mix-up attack, mandating the client to change the redirection 
per AS would solve the problem without change the wire protocol.

If these are not possible, then we would have to look at changing the
wire protocol. The solution that solves the both cases must
provide the token endpoint URI authoritatively, which means
you have to mandate some variation of discovery mandatory.


At 2016-01-27 17:01  Hans Zandbelt wrote:
> I don't see how that can deal with the specific form of the attack
> where the Client would have sent the authorization request to the
> legitimate authorization endpoint of a compromised AS and believes it
> gets the response from that, where in fact it was redirected away to
> the good AS.
> IOW, I don't think this is so much about mixing up endpoints where to
> send stuff to, but mixing up the entity/endpoint from which the Client
> believes the response was received. That may just be terminology
> though.
> Bottom line as far as I see is that a wire protocol element in the
> response is needed to tell the Client who issued it, regardless of how
> the Client deals with configuration of the AS information.
> Hans.
> On 1/27/16 1:31 AM, Nat Sakimura wrote:
>> So, is there a lot of cases that the authority section of the Good 
>> AS's
>> Authorization Endpoint and the Token Endpoints are different?
>> If not, then requiring that they are the same seems to virtually 
>> remove
>> the attack surface for the mix-up related attacks. It does not 
>> introduce
>> new parameter nor discovery. If it can be done, it probably is not 
>> worth
>> adding a new wire protocol element to mitigate the mix-up variants.