Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits   In the case of DEF CON video showing the Microsoft exploit, it worked liked this (if I recall correctly):   The attacker started the device flow from their system, sent the user a link to login with an "

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

From: Brock Allen <mailto:brockal...@gmail.com> Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman <mailto:pieter.kassel...@microsoft.com>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consen

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

rock Allen <mailto:brockal...@gmail.com> Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman <mailto:pieter.kassel...@microsoft.com>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits I watched one

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

022 21:25 To: Pieter Kasselman [mailto:pieter.kassel...@microsoft.com]; oauth@ietf.org [mailto:oauth@ietf.org] Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits   I watched one of those videos and it seems to be that a proper consent screen would have been the be

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

len *Sent:* Thursday 17 March 2022 21:25 *To:* Pieter Kasselman ; oauth@ietf.org *Subject:* [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits I watched one of those videos and it seems to be that a proper consent screen would have been the best and easiest line

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

d constrained as > possible and then mitigating against errors in judgement will help the > overall security posture. > > > > Cheers > > > > Pieter > > > > *From:* Shane B Weeden > *Sent:* Thursday 17 March 2022 21:21 > *To:* Pieter Kasselman > *Cc:* oauth

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

: [OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits Isn’t this essentially what is mitigated in the FAPI-compliant OIDC CIBA by: 1. Requiring the client to initiate the flow with signed request parameters which include, via some hint, the resource owner for whom authentication is being

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

, help them make better decisions and then protecting them in case of a bad decision will help drive down risk. Cheers Pieter From: Brock Allen Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman ; oauth@ietf.org Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit