Re: [OAUTH-WG] Multiple authorization servers for one resource server

Sat, 12 Mar 2016 17:05:41 -0800

Agree with Phil, an additional header is a bad idea. It's not only yet another thing that can be attacked, it's another thing that can get out of sync by the client. Always assume OAuth clients are the dumbest parts of the system. 

 -- Justin

On 3/12/2016 2:36 PM, Phil Hunt (IDM) wrote:
Right now we are discussing mis-configured clients that have been convinced to use a token or rs endpoint that has been mitm. Adding a new parameter increases attack surface because the rs is now ignoring the token abd believing the header which may have been inserted. 

Phil
On Mar 12, 2016, at 11:29, Jim Willeke <j...@willeke.com <mailto:j...@willeke.com>> wrote: 


Would a header be a concern if TLS was used for transportation?

--
-jim
Jim Willeke
On Sat, Mar 12, 2016 at 10:03 AM, Phil Hunt (IDM) <phil.h...@oracle.com <mailto:phil.h...@oracle.com>> wrote: 

    A header might open another attack vector. Better to parse the
    jwt and look for the issuer assuming the jwt validates.

    Phil

    On Mar 12, 2016, at 09:02, Jim Willeke <j...@willeke.com
    <mailto:j...@willeke.com>> wrote:


    Why not register JWT as anaccess token type
    
<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types>
    and then the the Issuer is implied?

    --
    -jim
    Jim Willeke

    On Sat, Mar 12, 2016 at 8:32 AM, Mike Schwartz <m...@gluu.org
    <mailto:m...@gluu.org>> wrote:

        Kawasaki-san,

        This is a really good question: how to know the issuer of a
        bearer token. Is there a header that could be added to
        specify the issuer, or other important metadata?

        - Mike


        -------------------------------------
        Michael Schwartz
        Gluu
        Founder / CEO
        m...@gluu.org <mailto:m...@gluu.org>

        _______________________________________________
        OAuth mailing list
        OAuth@ietf.org <mailto:OAuth@ietf.org>
        https://www.ietf.org/mailman/listinfo/oauth


    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org <mailto:OAuth@ietf.org>
    https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to