Guanping Zhang created CXF-9224:
-----------------------------------
Summary: Authorization responses omit RFC 9207 iss parameter,
exposing clients to OAuth mix-up attacks
Key: CXF-9224
URL: https://issues.apache.org/jira/browse/CXF-9224
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Affects Versions: 4.2.2
Reporter: Guanping Zhang
According to RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification),
the authorization server MUST return an {{iss}} parameter in the authorization
response (alongside {{code}} or {{{}state{}}}) to allow the client to
cryptographically verify which AS issued the response.
Currently, CXF's {{{}AuthorizationCodeGrantService{}}},
{{{}AbstractImplicitGrantService{}}}, and {{OidcHybridService}} build the
redirect URI without including the {{iss}} parameter. This leaves clients
registered with multiple authorization servers vulnerable to OAuth mix-up
attacks, as they cannot definitively bind the response to the intended issuer.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)