: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit
Consent Exploits
In the case of DEF CON video showing the Microsoft exploit, it worked liked
this (if I recall correctly):
The attacker started the device flow from their system, sent the user a link to
login with an "
From: Brock Allen <mailto:brockal...@gmail.com>
Sent: Thursday 17 March 2022 21:25
To: Pieter Kasselman
<mailto:pieter.kassel...@microsoft.com>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit
Consen
rock Allen <mailto:brockal...@gmail.com>
Sent: Thursday 17 March 2022 21:25
To: Pieter Kasselman
<mailto:pieter.kassel...@microsoft.com>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit
Consent Exploits
I watched one
022 21:25
To: Pieter Kasselman
[mailto:pieter.kassel...@microsoft.com]; oauth@ietf.org [mailto:oauth@ietf.org]
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit
Consent Exploits
I watched one of those videos and it seems to be that a proper consent screen
would have been the be
len
*Sent:* Thursday 17 March 2022 21:25
*To:* Pieter Kasselman ; oauth@ietf.org
*Subject:* [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and
Illicit Consent Exploits
I watched one of those videos and it seems to be that a proper consent
screen would have been the best and easiest line
d constrained as
> possible and then mitigating against errors in judgement will help the
> overall security posture.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* Shane B Weeden
> *Sent:* Thursday 17 March 2022 21:21
> *To:* Pieter Kasselman
> *Cc:* oauth
: [OAUTH-WG] Device Authorization Grant and Illicit
Consent Exploits
Isn’t this essentially what is mitigated in the FAPI-compliant OIDC CIBA by:
1. Requiring the client to initiate the flow with signed request parameters
which include, via some hint, the resource owner for whom authentication is
being
, help them make better decisions and then protecting them in case of a
bad decision will help drive down risk.
Cheers
Pieter
From: Brock Allen
Sent: Thursday 17 March 2022 21:25
To: Pieter Kasselman ; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit