C. PKCE Chosen Challenge Attack
Issue #528
resolved
Need to address what to do with C. PKCE Chosen Challenge Attack in FAPI 2.0
For the attack, see https://arxiv.org/pdf/1901.11520.pdf
Comments (6)
-
-
I agree with Joseph here: FAPI 2.0 requires client authentication and the PKCE chosen challenge attack only works because a malicious client poses as a different, honest client when talking to the AS. Client authentication should prevent this.
-
+1, can be closed
-
Agreed to close
-
- changed status to resolved
agreed to close on today's wg call, no action needed.
-
reporter - changed component to FAPI2: Security Profile
- Log in to comment
The description of the attack says “This attack affects public clients who use the Read-Only profile of the FAPI.” - I can’t see an obvious way to apply the attack within the constrains of FAPI2?