- changed status to open
native sso: id_token validation?
https://openid.net/specs/openid-connect-native-sso-1_0.html#rfc.section.4.3 does not seem to include any requirement to validate the id_token, e.g. the signature?
I think that means if I have the device_secret
& id_token for one session, and an id_token for another session I want to attack, I can:
- edit the second id_token to include
ds_hash
for the first session - exchange the device_secret and modified id_token for an access token for the second session
Comments (7)
-
-
-
assigned issue to
-
assigned issue to
-
Adding the following step in that section…
“Verify the id_token for integrity protection by validating the signature of the id_token JWT.”
Recommendations for text suggestions gladly accepted
-
Note that this is a normative change from the spec perspective though hopefully implementations where doing this already
-
reporter I was certainly hoping they were already doing it :-)
I have a nagging feeling there should be slightly more validation, but I’m not sure exactly what. Probably it feels like there should be something that stops a valid client using a device_secret and id_token not intended for it, but I’m not sure how to achieve that.
-
Great point. I will update the security considerations section.
-
- changed status to resolved
- Log in to comment
+1 for checking the signature.