Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on MAC OS X and iOS” […]
Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view: An app developers can snatch user’s password No URL bar means user cannot have any visual cue […]
It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track RFC[2] now. They are [RFC7515] and [RFC7519] respectively. For those of you who are not familiar with JWS and JWT: JWS is a digital signature standard for JSON, a JSON version of XML Signature […]
Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) draft 02 has been under WGLC till yesterday (March 24, 2015). During the OAuth WG meeting at IETF 92 on Monday, I was asked to do a review of the document (See the minutes). So, here is my review comments. (It has been sent to OAuth list as this. […]
June 24: The three main UMA Version 0.9 specifications – UMA Core , OAuth Resource Set Registration , and UMA Claim Profiles – are out for a45-day public review period ending September 6 at 17:00 Pacific time. This review is in preparation for advancement of these specs as Kantara Initiative Recommendations. If you have specification comments or IPR review comments, be sure to follow the commenting […]
So, there has been a flurry of worries induced by the CNET and other articles [1] about “Covert Redirect”. Like Leandro Boffi wrote in his blog post [2], this is not a new attack. It is an attack that has been known for at least 6 years. It is very disappointing that, after this long years, […]
Celebrate! OpenID Connect 1.0 Final is here! After four and half years, or six years if we include the time needed to start the working group, finally, OpenID Connect is released as final. Like I have been explaining many times in this blog, OpenID Connect is something that forms “the identity layer” on the internet. […]
An OpenID Connect server is just an OAuth 2.0 server on steroids. What it does it to return the ID Token, which contains information about the authentication event for the user at the door, in addition to the Access Token. This article explains how to write a simple OpenID Connect server using an OAuth 2.0 […]
People like me who is working on internet identity space is trying to solve so called “Internet Dog Problem.” You surely must have seen this picture — InternetDog.jpg : On the internet, nobody knows you’re a dog. This is a hard enough problem that we have long been trying to solve. At the same time, […]