That doesn't make sense to me. On Wed, Jun 14, 2023, 21:31 Daniel Fett <fett=40danielfett...@dmarc.ietf.org> wrote:
> Hi Alexander, > Am 14.06.23 um 15:19 schrieb Alexander Rademann: > > *Hello, everyone! Section 4.4.1 of the BCP > <https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html#section-4.4.1> > draft lists several variants of mix-up attacks; the description of the > Implicit grant variant reads as follows: "In the implicit grant, the > attacker receives an access token instead of the code; the rest of the > attack works as above." Given the attack description in that section, it is > not clear to me why an attacker would receive the access token and which > part the "rest of the attack" refers to. When the Implicit grant is used, > H-AS sends the access token (via redirect) to the user agent, which > extracts it and sends it to the client. However, the client does not send > the access token to A-AS, does it? (I hope that I didn’t overlook anything > in that section.)* > > * I also checked the referenced paper <https://arxiv.org/abs/1601.01229>; > there, the authors assume that the access token is sent to the > authorization server under the control of the attacker (or, using their > terminology, identity provider) to access some resource. [Appendix B, p. > 31ff] Perhaps this (or some similar) assumption should be added to the > description of this variant?* > > The underlying assumption is that when then user selected to use A-AS in > the beginning, the access token would also be used with a Resource Server > under the attacker's control. > > -Daniel > > > * I'm sorry if I missed anything or if this has already been addressed > before, I'm new to this mailing list and did not find anything in the > archives. Kind regardsAlex* > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
