OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
draft-meyerzuselhausen-oauth-iss-auth-resp-00
The information below is for an old version of the document |
Document |
Type |
|
Active Internet-Draft (individual)
|
|
Authors |
|
Karsten zu Selhausen
,
Daniel Fett
|
|
Last updated |
|
2020-10-26
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
pdf
htmlized (tools)
htmlized
bibtex
|
Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Web Authorization Protocol K. Meyer zu Selhausen
Internet-Draft Hackmanit
Intended status: Standards Track D. Fett
Expires: 29 April 2021 yes.com
26 October 2020
OAuth 2.0 Authorization Server Issuer Identifier in Authorization
Response
draft-meyerzuselhausen-oauth-iss-auth-resp-00
Abstract
This document specifies a new parameter "iss" that is used to
explicitly include the issuer identifier of the authorization server
in the authorization response of an OAuth authorization grant. If
implemented correctly, the "iss" parameter serves as an effective
countermeasure to "mix-up" attacks.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 April 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
Meyer zu Selhausen & Fett Expires 29 April 2021 [Page 1]
Internet-Draft oauth-iss-auth-resp October 2020
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
2. Response Parameter "iss" . . . . . . . . . . . . . . . . . . 3
2.1. Example Authorization Response . . . . . . . . . . . . . 4
2.2. Providing the Issuer Identifier "iss" . . . . . . . . . . 4
2.3. Validation of the Issuer Identifier "iss" . . . . . . . . 5
3. Authorization Server Metadata . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5.1. OAuth Authorization Server Metadata . . . . . . . . . . . 7
5.2. OAuth Parameters Registration . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. Normative References . . . . . . . . . . . . . . . . . . . . 7
8. Informative References . . . . . . . . . . . . . . . . . . . 8
Appendix A. Document History . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
The OAuth authorization framework [RFC6749] allows clients to
interact with multiple independent authorization servers under the
control of separate entities. Some OAuth grant types utilize the
resource owner's user-agent to deliver the authorization server's
response to the OAuth client. One example of this pattern is the
authorization response of the authorization code grant.
The authorization response as specified in Section 4.1.2. of
[RFC6479] does not contain any information about the identity of the
authorization server which issued the response. Therefore, clients
receiving a response from the resource owner's user-agent cannot be
sure who initially issued the response. The lack of certainty about
the origin of the response benefits a class of attacks called "mix-up
attacks".
This type of attack is a threat to all OAuth clients that interact
with multiple authorization servers when at least one of these
authorization servers is under an attacker's control. There are
Meyer zu Selhausen & Fett Expires 29 April 2021 [Page 2]
Internet-Draft oauth-iss-auth-resp October 2020
multiple ways in which an attacker can gain control over an
authorization server supported by the client: For example, an
authorization server could become compromised, or the attacker could
Show full document text