Transient client secret extension
-
Upload
nat-sakimura -
Category
Technology
-
view
278 -
download
0
Transcript of Transient client secret extension
![Page 1: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/1.jpg)
Transient Client Secret Extensionfor OAuth 2.0 Public Clients
http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
Nat SakimuraNomura Research Institute
![Page 2: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/2.jpg)
Problem Statement
• App selection by custom scheme is in deterministic on iOS.
• Thus, code may be intercepted by a malicious app that registered the same custom scheme as the target app.
• Those apps are generally public client so does not have client secret.
• As the result, the access token is obtained by the malicious app at a rather high probability.
2
![Page 3: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/3.jpg)
3
bad good browser server
![Page 4: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/4.jpg)
4
bad good browser server
![Page 5: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/5.jpg)
5
Short & SweetThe Main text is just 2 pages long
![Page 6: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/6.jpg)
JSON Metadata for OAuth Responses 1.0
http://tools.ietf.org/html/draft-sakimura-oauth-meta-02
Nat SakimuraNomura Research Institute
6
![Page 7: Transient client secret extension](https://reader036.fdocuments.net/reader036/viewer/2022082808/556615a6d8b42a7d608b49ab/html5/thumbnails/7.jpg)
Introducing metadata to OAuth Responses
• Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to.
• It will give a stub element to put other metadata about the response.
7
{ "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }