i***@ietf.org
2016-07-07 23:04:33 UTC
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Mix-Up Mitigation
Authors : Michael B. Jones
John Bradley
Nat Sakimura
Filename : draft-ietf-oauth-mix-up-mitigation-01.txt
Pages : 14
Date : 2016-07-07
Abstract:
This specification defines an extension to The OAuth 2.0
Authorization Framework that enables the authorization server to
dynamically provide the client using it with additional information
about the current protocol interaction that can be validated by the
client and that enables the client to dynamically provide the
authorization server with additional information about the current
protocol interaction that can be validated by the authorization
server. This additional information can be used by the client and
the authorization server to prevent classes of attacks in which the
client might otherwise be tricked into using inconsistent sets of
metadata from multiple authorization servers, including potentially
using a token endpoint that does not belong to the same authorization
server as the authorization endpoint used. Recent research
publications refer to these as "IdP Mix-Up" and "Malicious Endpoint"
attacks.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mix-up-mitigation-01
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Mix-Up Mitigation
Authors : Michael B. Jones
John Bradley
Nat Sakimura
Filename : draft-ietf-oauth-mix-up-mitigation-01.txt
Pages : 14
Date : 2016-07-07
Abstract:
This specification defines an extension to The OAuth 2.0
Authorization Framework that enables the authorization server to
dynamically provide the client using it with additional information
about the current protocol interaction that can be validated by the
client and that enables the client to dynamically provide the
authorization server with additional information about the current
protocol interaction that can be validated by the authorization
server. This additional information can be used by the client and
the authorization server to prevent classes of attacks in which the
client might otherwise be tricked into using inconsistent sets of
metadata from multiple authorization servers, including potentially
using a token endpoint that does not belong to the same authorization
server as the authorization endpoint used. Recent research
publications refer to these as "IdP Mix-Up" and "Malicious Endpoint"
attacks.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mix-up-mitigation-01
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/