Yet another reason why Token Exchange is dangerous 🤯😱 ... • Aaron Parecki

44°F

Yet another reason why Token Exchange is dangerous 🤯😱

"Bing is allowed to issue Office tokens for any logged-on user"

https://twitter.com/hillai/status/1641146523990753290

神奈川県, JPN

Thu, Mar 30, 2023 9:54am +09:00 #security #oauth

13 likes 4 replies 1 mention
Have you written a response to this? Let me know the URL:
- Pushkar Jaltare twitter.com/Pushkar2911
  
  How will you implement the token exchange safely?Bing being able to create JWT tokens for MS Office makes sense from product standpoint. One way would be to vend scoped down tokens (for MS office) to Bing. Are there any other alternatives?
  
  Fri, Mar 31, 2023 12:49am +00:00 (via brid.gy)
- Pushkar Jaltare twitter.com/Pushkar2911
  
  How would you architect/build a similar system?
  
  Fri, Mar 31, 2023 12:32am +00:00 (via brid.gy)
- Torstein Krause Johansen emacs.ch/users/skybert
  
  @aaronpk Interesting find.
  Does this mean RFC 8693: Token Exchange is by its very nature dangerous? What would be a better way?
  
  Fri, Mar 31, 2023 4:14am +09:00
- Hirsch Singhal twitter.com/hpsin_
  
  Something something breaking cross domain cookies and composability of the web...
  
  Thu, Mar 30, 2023 1:04am +00:00 (via brid.gy)
Other Mentions
- John Gateley twitter.com/johngateley
  
  Friends don't let friends do token exchange
  
  Thu, Mar 30, 2023 2:57am +00:00 (via brid.gy)

Posted in /notes using quill.p3k.io