Hi all,
Daniel and I published a new version of the "iss" response parameter
draft to address the feedback from the WG.
Changes in -01:
* Incorporated first WG feedback
* Clarifications for use with OIDC
* Added note that clients supporting just one AS are not vulnerable
* Renamed metadata parameter
* Various editorial changes
We would like to ask you for further feedback and comments on the new
draft version.
Best regards,
Karsten
-------- Forwarded Message --------
Subject: New Version Notification for
draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
Date: Sun, 01 Nov 2020 23:31:42 -0800
From: internet-dra...@ietf.org
To: Karsten Meyer zu Selhausen <karsten.meyerzuselhau...@hackmanit.de>,
Karsten zu Selhausen <karsten.meyerzuselhau...@hackmanit.de>, Daniel
Fett <m...@danielfett.de>
A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
has been successfully submitted by Karsten Meyer zu Selhausen and posted
to the
IETF repository.
Name: draft-meyerzuselhausen-oauth-iss-auth-resp
Revision: 01
Title: OAuth 2.0 Authorization Server Issuer Identifier in Authorization
Response
Document date: 2020-11-01
Group: Individual Submission
Pages: 10
URL:
https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
Status:
https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/
Html:
https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.html
Htmlized:
https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-01
Diff:
https://www.ietf.org/rfcdiff?url2=draft-meyerzuselhausen-oauth-iss-auth-resp-01
Abstract:
This document specifies a new parameter "iss" that is used to
explicitly include the issuer identifier of the authorization server
in the authorization response of an OAuth authorization flow. If
implemented correctly, the "iss" parameter serves as an effective
countermeasure to "mix-up attacks".
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
--
Karsten Meyer zu Selhausen
IT Security Consultant
Phone: +49 (0)234 / 54456499
Web: https://hackmanit.de | IT Security Consulting, Penetration Testing,
Security Training
Does your OAuth or OpenID Connect implementation use PKCE to strengthen the
security? Learn more about the procetion PKCE provides and its limitations in
our new blog post:
https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client
Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum
Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr.
Christian Mainka, Dr. Marcus Niemietz
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth