Nah this is more a demonstration of why sticking to standards ... • Aaron Parecki

Barbara Schachner https://twitter.com/barschachner • May 31
I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
Love those standards and their capabilities - but are they getting too complicated?

Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.

Portland, Oregon • 54°F

Sun, May 31, 2020 5:59am -07:00

1 like 12 replies
- Barbara Schachner
Have you written a response to this? Let me know the URL:
- Leif Johansson twitter.com/leifjohansson
  
  Technology is about revolting against your fathers data description language.
  
  Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  It's almost like they learned nothing from the mess of XML-based protocols
  
  Tue, Jun 2, 2020 4:44pm +00:00 (via brid-gy.appspot.com)
- Nat Sakimura twitter.com/_nat_en
  
  And so did Verified / Verifiable Credentials specs. ** sigh **
  
  Tue, Jun 2, 2020 4:42pm +00:00 (via brid-gy.appspot.com)
- Leif Johansson twitter.com/leifjohansson
  
  Isn’t CBOR putting it back?
  
  Mon, Jun 1, 2020 5:14pm +00:00 (via brid-gy.appspot.com)
- Nat Sakimura twitter.com/_nat_en
  
  Well, after 18 years, XML DSig libs still exhibited critical normalization bugs last year. It has been continuing and I expect it to continue. That's why we removed any and all normalization from JWS. That was one of the first decision I and @ve7jtb made. Just a data point.
  
  Mon, Jun 1, 2020 7:01am +00:00 (via brid-gy.appspot.com)
- Barbara Schachner twitter.com/barschachner
  
  No, just SAML and wouldn’t call it less complicated, just maybe so obviously complicated that only few tried to do the XML handling themselves and rather used proper libs😀 Really don’t want to criticize anyone.I have high respect for everyone inventing/maintaining such standards
  
  Sun, May 31, 2020 7:13pm +00:00 (via brid-gy.appspot.com)
- Torsten Lodderstedt twitter.com/tlodderstedt
  
  High complexity means? Are you aware of solutions for Id federation that are simpler to use and secure?
  
  Sun, May 31, 2020 2:35pm +00:00 (via brid-gy.appspot.com)
- Barbara Schachner twitter.com/barschachner
  
  Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).
  
  Sun, May 31, 2020 2:17pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers.
  
  Sun, May 31, 2020 1:43pm +00:00 (via brid-gy.appspot.com)
- Barbara Schachner twitter.com/barschachner
  
  Of course, usage of standard libs should help. Just not sure how widespread they are compared to individual implementations in that area.
  
  Sun, May 31, 2020 1:42pm +00:00 (via brid-gy.appspot.com)
- Barbara Schachner twitter.com/barschachner
  
  Fully agree to that 😀 Just looking also at examples like insomniasec.com/blog/auth0-jwt… or threatpost.com/microsoft-oaut…. o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
  
  Sun, May 31, 2020 1:41pm +00:00 (via brid-gy.appspot.com)
- Torsten Lodderstedt twitter.com/tlodderstedt
  
  I don’t see how this is related to the OIDC protocol flow. Can you please elaborate?
  
  Sun, May 31, 2020 1:00pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using indigenous.abode.pub/ios