Hi Christian,
thanks for bringing this to our attention! I think the recommendations
in the PR are very helpful and we will consider adding the text to the
document.
-Daniel
Am 25.10.22 um 15:37 schrieb Christian Mainka:
Hi,
we would like to request the inclusion of _in-browser communication
security considerations_ in the OAuth security topics.
We found that in-browser communications like the postMessage API is
widely used by Clients and Authorization Servers as an alternative to
the standardized HTTP redirects.
If these techniques are used insecurely, OAuth token leaks and
injections are possible.
We publish our results soon at ACM CCS in November 2022.
The paper is accessible [1].
We think that the paragraph about in-browser communications should be
added to the security topics.
We created a pull request [2] to help developers in understanding the
risks and best practices of using in-browser communications in OAuth.
We are happy to discuss the idea here or directly in the pull request.
Best regards
Christian
[1]: "DISTINCT: Identity Theft using In-Browser Communications in
Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf
[2]:
https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
