C. PKCE Chosen Challenge Attack

Comments (6)

1. 

   Joseph Heenan

   The description of the attack says “This attack affects public clients who use the Read-Only profile of the FAPI.” - I can’t see an obvious way to apply the attack within the constrains of FAPI2?

   • 2022-07-21T09:27:12+00:00
2. 

   Tim Würtele

   I agree with Joseph here: FAPI 2.0 requires client authentication and the PKCE chosen challenge attack only works because a malicious client poses as a different, honest client when talking to the AS. Client authentication should prevent this.

   • 2022-07-26T07:46:44+00:00
3. 

   Daniel Fett

   +1, can be closed

   • 2022-08-03T13:34:03+00:00
4. 

   Dave Tonge

   Agreed to close

   • 2022-08-17T14:46:51+00:00
5. 

   Joseph Heenan

   • changed status to resolved

   agreed to close on today's wg call, no action needed.

   • 2022-08-17T14:47:04+00:00
6. 

   Nat Sakimura reporter

   • changed component to FAPI2: Security Profile

   • 2022-12-14T15:35:25+00:00
7. Log in to comment