V51, Verify usage of the "iss" parameter in by the authorization server

[randomstuff]

Currently there is this verification:

51.3.1 Verify that when an OAuth Client can interact with more than one Authorization Server, Clients should verify that the issuer "iss" parameter value is what it expected from the authorization response to prevent against mix-up attacks. In the absence of "iss" parameter, Clients may instead use distinct redirect URIs to identify authorization endpoints and token endpoints.

i.e. if the "iss" parameter is included in the authorization response the client must check it. By the client can proceed if the "iss" parameter is missing.

However, there is no verification for making sure that the authorization server actually included this parameter in the authorization response.

Why is this important: Verification of the issuer mitigates mix-up attacks as described in draft-ietf-oauth-security-topics-27.

Proposition:

Verify that the Authorization Server includes the "iss" parameter in authorization responses for the code grant in order to mitigate mixup-attacks.

This is not strictly necessary if the authorization server knows that the client will never talk to another authorization server but is it helpful to include this exception?

[elarlang]

Verify that the Authorization Server includes the "iss" parameter in authorization responses for the code grant in order to mitigate mixup-attacks.

For this proposed requirement I think we should not go to the functionality testing field. We also don't have a requirement a'la verify that the "state" value is presented in the access token or something like that, although this is a pre-condition to implement some other requirement.

We also have issues like:

• 1826

• 2003

• 1969 (proposal 5)

I think those issues should be solved together with the focus to "Verify that there is defense against mixup-attacks."