sector_identifier_uri should have a /.well-known/ path

Issue #1058 open
James Manger created an issue

The content of a sector_identifier_uri gives each listed app permission to receive pairwise identifiers for a particular domain (the domain of the sector_identifier_uri).

There should only be 1 URI for a domain that can convey this permission for the domain. That is, we should pick a well-known path [RFC 5785 Defining Well-Known URIs]. I suggest:

https://<domain>/.well-known/openid/apps.json

Otherwise, an attacker can get permission to receive a domain's pairwise ids by finding any web address on the domain that will return the attacker's redirect_uri (or a redirect to a site that can list the attacker's redirect_uri).

An interim protection that OPs could implement is to reject a client registration if it has a sector_identifier_uri that has a different path but is in the domain as another client.

Comments (4)

  1. gffletch

    Just to make sure I understand... the issue is that an attacker could use this method to obtain the pairwise identifiers of the victim. This is an privacy exposure allowing the attacker to potentially obtain correlation handles in a domain they should not be able to access.

  2. Log in to comment