sector_identifier_uri should have a /.well-known/ path
Issue #1058
open
The content of a sector_identifier_uri gives each listed app permission to receive pairwise identifiers for a particular domain (the domain of the sector_identifier_uri).
There should only be 1 URI for a domain that can convey this permission for the domain. That is, we should pick a well-known path [RFC 5785 Defining Well-Known URIs]. I suggest:
https://<domain>/.well-known/openid/apps.json
Otherwise, an attacker can get permission to receive a domain's pairwise ids by finding any web address on the domain that will return the attacker's redirect_uri (or a redirect to a site that can list the attacker's redirect_uri).
An interim protection that OPs could implement is to reject a client registration if it has a sector_identifier_uri that has a different path but is in the domain as another client.
Comments (5)
-
-
- changed milestone to Ammendment
This is requesting a specification change. It is not errata.
-
reporter
Yes gffletch, this is a potential privacy expose.
-
- changed status to open
-
Bringing this up as well. We need mini-spec/amendment written down, and we need an editor for that. Any volunteers?
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- open
- Component
- Core
- Milestone
- Ammendment
- Version
- –
- Votes
- 0
- Watchers
- 0
Just to make sure I understand... the issue is that an attacker could use this method to obtain the pairwise identifiers of the victim. This is an privacy exposure allowing the attacker to potentially obtain correlation handles in a domain they should not be able to access.