OAuth Metadata: Mix-up Machine?
From IIW
OAuth Metadata: Mix-up Machine?
Session: 12J
Convener: Daniel Fett
Notes-taker(s): Daniel Fett
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
A Mix-Up Attack on OAuth is an attack wherein the attacker manages to convince the client to send credentials (authorization code or access token) obtained from an "honest" authorization server to a server under the attacker's control. In this session, we discussed the risks introduced by new OAuth extensions such as Metadata, PAR and JARM.
Notes: http://danielfett.github.io/notes/oauth/Mix-Up%20Revisited.html