- edited description
Create a security consideration/note on A. Cuckoo’s Token Attack (FAPI 1.0)
Issue #524
invalid
Need to document how we decided not to adopt the recommended mitigation in the security analysis.
Comments (7)
-
reporter -
It is mentioned in the security considerations, https://openid.net/specs/openid-financial-api-part-2-1_0.html#access-token-phishing which says:
An attacker could try to trick a client under his control to make use of the access token as described in [FAPISEC] ("Cuckoo's Token Attack" and "Access Token Injection with ID Token Replay"), but these attacks additionally require a rogue AS or misconfigured token endpoint.
-
reporter The same kind of thing needs to be documented in FAPI 2.0.
-
reporter - changed status to invalid
Ok. It was in the security considerations already so I will mark this as invalid.
-
reporter - changed component to Part 2: Advanced
-
reporter - changed component to FAPI 1 – Part 2: Advanced
-
reporter - changed component to FAPI 1: Advanced
- Log in to comment