Create security note/consideration on B. Access Token Injection with ID Token Replay (FAPI 1.0 Advanced)

Issue #527 resolved

Nat Sakimura created an issue 2022-07-21

Need to document the approach to B. Access Token Injection with ID Token Replay in the security analysis https://arxiv.org/pdf/1901.11520.pdf

‌

Comments (9)

Nat Sakimura reporter
See ~~#526~~ as well.
- 2022-08-03T14:00:06+00:00
Nat Sakimura reporter
- changed component to Part 2: Advanced
- 2022-12-14T15:36:14+00:00
Nat Sakimura reporter
- changed component to FAPI 1 – Part 2: Advanced
- 2022-12-14T15:36:47+00:00
Nat Sakimura reporter
- changed component to FAPI 1: Advanced
- 2022-12-14T15:38:57+00:00
Dave Tonge
to double check that we aren’t covering it already, and to check that the other documented attacks are either dealt with or covered by security considerations
- 2023-05-24T14:19:53+00:00
Nat Sakimura reporter
- changed status to resolved
fixes ~~#527~~ - Create security note/consideration on B. Access Token Injection with ID Token Replay (FAPI 1.0 Advanced)

→ <<cset fc0aa197e3f1>>
- 2023-09-06T14:10:15+00:00
Nat Sakimura reporter
fixes ~~#527~~ - Use AS metadata for misconfigured endpoints

→ <<cset 9e89dd625358>>
- 2023-09-06T14:10:15+00:00
Nat Sakimura reporter
fixes ~~#527~~ - Merged "Access Token Injection with ID Token Replay" attack and mitigations into 8.3.5

→ <<cset 9f3fe5bbdfcd>>
- 2023-09-06T14:10:16+00:00
Nat Sakimura reporter
Merged in fapi1_errata_527 (pull request #429)

fixes ~~#527~~ - Create security note/consideration on B. Access Token Injection with ID Token Replay (FAPI 1.0 Advanced)

Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Nat Sakimura Approved-by: Joseph Heenan

→ <<cset cdf755de9937>>
- 2023-09-06T14:10:16+00:00
Log in to comment