On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the attack with his permission, then expand on it. Assumptions The …
Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on …
Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view: An app developers can snatch user’s password No URL bar means user …
When John, Breno, and I started the OpenID Connect work, one of the target was to make it as simple as putting two files on the client file system and calling a few functions from the calling page. With OpenID Connect, we have actually achieved it. You do not believe? …
OpenID 2.0 to OpenID Connect Migration (aka OID2 to OIDC Migration) is a spec that allows RPs to associate the old OpenID 2.0 identifiers to the new OpenID Connect identifiers without user intervention or extra round trip. The spec has been under development for approximately half a year and has …
So, there has been a flurry of worries induced by the CNET and other articles [1] about “Covert Redirect”. Like Leandro Boffi wrote in his blog post [2], this is not a new attack. It is an attack that has been known for at least 6 years. It is very disappointing …
Celebrate! OpenID Connect 1.0 Final is here! After four and half years, or six years if we include the time needed to start the working group, finally, OpenID Connect is released as final. Like I have been explaining many times in this blog, OpenID Connect is something that forms “the …
Many people seem to ask for the guidance on which grant / flow to use in OpenID Connect. Here is my straw-man answer. Conditions / Requirement code grant implicit grant hybrid grant Server is not directly reachable from the client x Want less round trip x x Do not want …
After the Berlin OpenID AB/C WG F2F meeting, I have been trying to refactor the Connect suites into more palatable form. I am supposed to create two sets of the refactored version. One for a granular split version and the other for a monolithic version. Some people like Torsten and …
OpenID Connect has many components. Sometimes, it seems confusing what to read for a new reader, or worse, intimidating. Here is a flow chart I created as a guide to a new reader. Hope this is going to be useful. Suggestions are welcome as well.
![IdP Mix-up Attack on OAuth [RFC6749]](https://i2.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/oauth-idp-mixup.png?resize=476%2C350&ssl=1)
