[SIOP] response_mode=query must not be used

decentralized-identity / papers

Notes, ideas, and write-ups from DIF members and collaborators

Apache License 2.0

40 stars 7 forks source link

[SIOP] response_mode=query must not be used #24

Closed selfissued closed 5 years ago

selfissued commented 5 years ago

The spec currently says that "SIOP implementing the DID AuthN specification MAY set the response_mode to query, or form_post." This violates the requirement at https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#id_token that "the query encoding MUST NOT be used". This is a security issue.

It's ok to allow fragment (the default) or form_post, but not query.

selfissued commented 5 years ago

Also, delete "or query string" from "If an attacker can cause the to be sent a URI under his control, he will directly get access to the fragment or query string carrying the id_token."

awoie commented 5 years ago

Thank you. If it breaks the existing spec, then we will remove the option to allow query.