Guanping Zhang created CXF-9224:
-----------------------------------

             Summary: Authorization responses omit RFC 9207 iss parameter, 
exposing clients to OAuth mix-up attacks
                 Key: CXF-9224
                 URL: https://issues.apache.org/jira/browse/CXF-9224
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, JAX-RS Security
    Affects Versions: 4.2.2
            Reporter: Guanping Zhang


According to RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification), 
the authorization server MUST return an {{iss}} parameter in the authorization 
response (alongside {{code}} or {{{}state{}}}) to allow the client to 
cryptographically verify which AS issued the response.
 
Currently, CXF's {{{}AuthorizationCodeGrantService{}}}, 
{{{}AbstractImplicitGrantService{}}}, and {{OidcHybridService}} build the 
redirect URI without including the {{iss}} parameter. This leaves clients 
registered with multiple authorization servers vulnerable to OAuth mix-up 
attacks, as they cannot definitively bind the response to the intended issuer.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to