86°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Torsten Lodderstedt https://twitter.com/tlodderstedt   •   May 31
    if I understand correctly, the token request accepted an alternative email claim value and used it to override the value on Apple’s IDP. Really?
    Aaron Parecki
    If I'm reading it right it's not the token endpoint, it's their internal API for accepting the request that let the user choose which email to share with the app. So it's a form validation problem.
    Portland, Oregon • 54°F
    Sun, May 31, 2020 5:36am -07:00
    22 replies
    • Leif Johansson twitter.com/leifjohansson
      Technology is about revolting against your fathers data description language.
      Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      It's almost like they learned nothing from the mess of XML-based protocols
      Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
    • Nat Sakimura twitter.com/_nat_en
      And so did Verified / Verifiable Credentials specs. ** sigh **
      Tue, Jun 2, 2020 4:42pm +00:00 (via brid-gy.appspot.com)
    • Leif Johansson twitter.com/leifjohansson
      Isn’t CBOR putting it back?
      Mon, Jun 1, 2020 5:14pm +00:00 (via brid-gy.appspot.com)
    • Nat Sakimura twitter.com/_nat_en
      Well, after 18 years, XML DSig libs still exhibited critical normalization bugs last year. It has been continuing and I expect it to continue. That's why we removed any and all normalization from JWS. That was one of the first decision I and @ve7jtb made. Just a data point.
      Mon, Jun 1, 2020 7:01am +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      No, just SAML and wouldn’t call it less complicated, just maybe so obviously complicated that only few tried to do the XML handling themselves and rather used proper libs😀 Really don’t want to criticize anyone.I have high respect for everyone inventing/maintaining such standards
      Sun, May 31, 2020 7:13pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      High complexity means? Are you aware of solutions for Id federation that are simpler to use and secure?
      Sun, May 31, 2020 2:35pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).
      Sun, May 31, 2020 2:17pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      I think the complexity comes with all the different options you have (eg grant types and self-encoded vs reference tokens, etc) and the number of tokens/secrets/codes involved. Not sure if every average pentester could find critical logical bugs in the flows.
      Sun, May 31, 2020 2:00pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
      Sun, May 31, 2020 1:43pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Of course, usage of standard libs should help. Just not sure how widespread they are compared to individual implementations in that area.
      Sun, May 31, 2020 1:42pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Fully agree to that 😀 Just looking also at examples like insomniasec.com/blog/auth0-jwt… or threatpost.com/microsoft-oaut…. o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
      Sun, May 31, 2020 1:41pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      I don’t see how this is related to the OIDC protocol flow. Can you please elaborate?
      Sun, May 31, 2020 1:00pm +00:00 (via brid-gy.appspot.com)
    • Dominick Baier twitter.com/leastprivilege
      The protocols are not the most complicated typically (not saying they are ‘easy’ either). But business requirements on top make things complicated.
      Sun, May 31, 2020 1:00pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
      Sun, May 31, 2020 12:59pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“). Love those standards and their capabilities - but are they getting too complicated?
      Sun, May 31, 2020 12:57pm +00:00 (via brid-gy.appspot.com)
    • Barbara Schachner twitter.com/barschachner
      Seen similar issues with SAML in the past. SP correctly verified the assertion, then redirected the user to the real app path with his email address as (exchangeable) parameter. On IdP/AS side it’s of course even more severe...
      Sun, May 31, 2020 12:56pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Now that I'm writing this out, I realize that the client also sends back the "name" here, intentionally, since the name is user-editable. So I can see how this happened. It's just extremely poor coding practice to essentially also allow the email to be editable here.
      Sun, May 31, 2020 12:45pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      It's the handler that responds to the "Continue" form post on this screen. Instead of a Boolean, the client sent back the actual email address and the server accepted arbitrary values.
      Sun, May 31, 2020 12:42pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      I see. Thanks for the clarification.
      Sun, May 31, 2020 12:41pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      Yea, it's just not part of the OAuth API. It's more like bad logic on the internal implementation of the AS.
      Sun, May 31, 2020 12:39pm +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      But it’s exposed to the client and did accept arbitrary values, right?
      Sun, May 31, 2020 12:38pm +00:00 (via brid-gy.appspot.com)
Posted in /replies using indigenous.abode.pub/ios

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv