Registration - DoS Attack caused by Dynamic Registration?
Issue #758
resolved
It seems there are some concerns regarding the DoS attack caused by request_uri.
I wonder if DynReg would not cause the DoS attack as well.
If it does, we should add some comments in the security consideration section.
Comments (4)
-
Account Deleted -
Yes, if an OP is providing open registration, then at least some form of request throttling should be applied.
-
-
assigned issue to
We will add the same rate limitation text as is in the OAuth registration draft.
-
assigned issue to
-
- changed status to resolved
Fixed
#758- State the registration requests can be rate-limited to prevent a DoS attack.→ <<cset 69cc9a7eb9eb>>
- Log in to comment
It's definitely a concern. OAuth DynReg currently makes note of this potential attack and suggests rate-limiting and other common mitigations (section 3):
In order to support open registration and facilitate wider interoperability, the Client Registration Endpoint SHOULD allow initial registration requests with no authentication. These requests MAY be rate-limited or otherwise limited to prevent a denial-of- service attack on the Client Registration Endpoint.