I like the new text, it frames the error better and puts it in the context where it’s likely to be exploited. IE, newly dynamically registered clients shouldn’t be trusted as much as others.
— Justin > On Mar 22, 2018, at 8:16 AM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > That works for me > > On Wed, Mar 21, 2018 at 7:34 PM, Torsten Lodderstedt <tors...@lodderstedt.net > <mailto:tors...@lodderstedt.net>> wrote: > Hi all, > > thanks for your feedback. Here is my text proposal for section 3.8.1. > > —— > > Attackers could try to utilize a user's trust in the authorization > server (and its URL in particular) for performing phishing attacks. > > RFC 6749 already prevents open redirects by stating the AS > MUST NOT automatically redirect the user agent in case > of an invalid combination of client_id and redirect_uri. > > However, as described in [I-D.ietf-oauth-closing-redirectors], an > attacker could also utilize a correctly registered redirect URI to > perform phishing attacks. It could for example register a client > via dynamic client registration and intentionally send an > erroneous authorization request, e.g. by using an invalid > scope value, to cause the AS to automatically redirect the user > agent to its phishing site. > > The AS MUST take precautions to prevent this threat. > Based on its risk assessment the AS needs to decide whether > it can trust the redirect URI or not and should only automatically > redirect the user agent, if it trusts the redirect URI. If not, it could > inform the user that it is about to redirect her to the another site > and rely on the user to decide or just inform the user about the > error. > > —— > > kind regards, > Torsten. > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited.. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
