Message source authentication failure -

Comments (10)

1. 

   Nat Sakimura

   Agreed that wording can be improved. As to the correctness is concerned, it is. Even if we do TLS mutual authentication, it only applies to the Token Request and the Authorization Request is not source authenticated as it goes through the browser redirect. Late binding of authentication does not work here as it does not protect against injection attacks etc.

   • 2016-12-08T13:42:12+00:00
2. 

   Dave Tonge reporter

   Ok, I understand. What is the protection against this that we may recommend in part 2?

   • 2016-12-08T16:32:52+00:00
3. 

   Nat Sakimura

   Use of signed request object / request uri. OR use of OAuth JAR.

   They are actually the same thing by the way. That should pretty much remove all the insecurity. I and John designed it to be able to meet LoA 4 requirements.

   • 2016-12-13T13:43:39+00:00
4. 

   Nat Sakimura

   • changed component to Part 1: RO Security

   • 2016-12-13T17:25:17+00:00
5. 

   Nat Sakimura

   • changed status to closed

   Dave agreed that it is clear now since we now have Part 2.

   • 2018-01-29T17:09:31+00:00
6. 

   Nat Sakimura

   • changed component to Part 1: Baseline

   • 2022-12-14T15:35:53+00:00
7. 

   Nat Sakimura

   • changed component to FAPI 1 - Part 1: Baseline

   • 2022-12-14T15:36:25+00:00
8. 

   Nat Sakimura

   • changed component to FAPI 1 – Part 1: Baseline

   • 2022-12-14T15:36:59+00:00
9. 

   Nat Sakimura

   • changed component to FAPI 1 – Baseline

   • 2022-12-14T15:38:20+00:00
10. 

    Nat Sakimura

    • changed component to FAPI 1: Baseline

    • 2022-12-14T15:39:09+00:00
11. Log in to comment