Open randomstuff opened 21 hours ago
Verify that the Authorization Server includes the "iss" parameter in authorization responses for the code grant in order to mitigate mixup-attacks.
For this proposed requirement I think we should not go to the functionality testing field. We also don't have a requirement a'la verify that the "state" value is presented in the access token or something like that, although this is a pre-condition to implement some other requirement.
We also have issues like:
I think those issues should be solved together with the focus to "Verify that there is defense against mixup-attacks."
Currently there is this verification:
i.e. if the "iss" parameter is included in the authorization response the client must check it. By the client can proceed if the "iss" parameter is missing.
However, there is no verification for making sure that the authorization server actually included this parameter in the authorization response.
Why is this important: Verification of the issuer mitigates mix-up attacks as described in draft-ietf-oauth-security-topics-27.
Proposition:
This is not strictly necessary if the authorization server knows that the client will never talk to another authorization server but is it helpful to include this exception?