Message source authentication failure -
Issue #51
closed
I think the wording of this paragraph could be improved. Also is this strictly correct? We recommend TLS mutual authentication which would allow authentication of part of the authorization flow?
Comments (10)
-
-
reporter Ok, I understand. What is the protection against this that we may recommend in part 2?
-
Use of signed request object / request uri. OR use of OAuth JAR.
They are actually the same thing by the way. That should pretty much remove all the insecurity. I and John designed it to be able to meet LoA 4 requirements.
-
- changed component to Part 1: RO Security
-
- changed status to closed
Dave agreed that it is clear now since we now have Part 2.
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment
Agreed that wording can be improved. As to the correctness is concerned, it is. Even if we do TLS mutual authentication, it only applies to the Token Request and the Authorization Request is not source authenticated as it goes through the browser redirect. Late binding of authentication does not work here as it does not protect against injection attacks etc.