I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually.…View More Authorization Delegation: A financial accounts aggregation use case
Month: January 2016
Cut and pasted code attack in OAuth 2.0 [RFC6749]
The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the…View More Cut and pasted code attack in OAuth 2.0 [RFC6749]
Code phishing attack on OAuth 2.0 [RFC6749]
Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token…View More Code phishing attack on OAuth 2.0 [RFC6749]
IdP Mix-up Attack on OAuth [RFC6749]
On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the…View More IdP Mix-up Attack on OAuth [RFC6749]
Happy New Year!
2015 was a hectic year: Bunch of the specs that I have been working on (JWS [RFC7515], JWT [RFC7519], OAuth PKCE [RFC7636], JWK Thumbprint [RFC7638]）got published and the work to convert…View More Happy New Year!