.Nat Zone

Digital Identity et al.

「 OAuth 」 一覧

APIDays 2016: Financial Grade OAuth & OpenID Connect

Here is the slide I used in API Days Paris 2016, for the Banking track. Direct link to slideshare: http://www.slideshare.net/nat_sakimura/financial-grade-oauth-openid-connect Hope they are useful.

Fixing OAuth?

On the 14th and 15th of July, we had the OAuth Security Workshop 2016 at the University of Trier. Further, we had a IETF 96 side meeting on OAuth security at 18:20 in the beautiful Café am Neuen See to further discuss it. …

FAPI Presentation at Open Data in Finance Conference @ London

Here is the presentation file that I used for my 10 minutes OpenID Foundattion Financial API WG presentation at the Open Data in Finance Conference ( June 15, 2016). To join the Working Group, please sign the IPR Contribution agreement online by clicking …

Open Data in Finance Conference: Chair’s Welcome

Here is the script of the Chair’s remark at the opening of the Open Data in Fianance Conference in London (June 15, 2016) 09:00 – 09:10 Chair’s Welcome Nat SakimuraSenior ResearcherNomura Research Institute Hello. Welcome to the Open Data in …

no image

Authorization Delegation: A financial accounts aggregation use case

  2016/01/29    identity, OAuth, OpenID Connect

I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually. That’s a bit of nuisance. Instead of doing that, if I can instruct each banks …

Cut and pasted code attack in OAuth 2.0 [RFC6749]

  2016/01/25    OAuth, OpenID Connect, security

The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the authorization response with the victim’s ‘code’ that the adversary has gotten hold of somehow. It can …

Code phishing attack on OAuth 2.0 [RFC6749]

Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much …

IdP Mix-up Attack on OAuth [RFC6749]

On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the …

On the XARA vulnerability on MacOS X and iOS

  2015/06/19    identity, OAuth, OpenID Connect ,

Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, …

no image

Apple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController

  2015/06/09    OAuth, OpenID Connect

Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view: An app …