WeChat ID
aaronpk_tv
-
lack of form validation -
Jerry Gamblin
https://twitter.com/JGamblin
•
May 31
Yep, I realized that after I posted and made a clarifying post in the thread, which you should have saw?
I should have replied to that one. It’s barely a logic bug using JWT. I’m writing up more details in a blog post, will post a link shortly. -
Jerry Gamblin
https://twitter.com/JGamblin
•
May 30
Interesting JWT vulnerability. https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/
This has almost nothing to do with JWTs, or even OpenID Connect for that matter.
-
When writing headlines, use the active voice and clearly identify subjects. https://www.theverge.com/2020/5/31/21276044/police-violence-protest-george-floyd
-
This is a great illustration of how much space cars waste!
They say that up to 230 cars will be able to fit in the stadium to watch the movie. 230 cars in the whole damn stadium.
If this is the future, I don’t wanna be in it. https://www.miamiherald.com/miami-com/things-to-do/article243003896.html -
Vinod Anandan
https://twitter.com/_VinodAnandan
•
May 31
Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope. -
Vinod Anandan
https://twitter.com/_VinodAnandan
•
May 31
My point is that OIDC has mechanisms to prevent this issue..
Please go read it again and understand the problem
-
Vinod Anandan
https://twitter.com/_VinodAnandan
•
May 31
"email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....."
https://openid.net/specs/openid-connect-core-1_0.html
Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer. -
Vinod Anandan
https://twitter.com/_VinodAnandan
•
May 31
"The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... "
https://openid.net/certification/
And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange. -
Fully agree to that 😀
Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts. -
Barbara Schachner
https://twitter.com/barschachner
•
May 31
Fully agree to that 😀
Just looking also at examples like https://insomniasec.com/blog/auth0-jwt-validation-bypass or https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/.
o/c they are different + very individual, but if already the big players have such issues, how much more can go wrong on RS side where devs are usually not Auth experts.
Yes! And that is *exactly* why I always advocate for pushing the complexity to the authorization server and keeping the client side simple. Fewer options for clients means fewer ways to mess it up, and there will always be more client developers than AS developers. -
Arif Yayalar 💛❤️🦁
https://twitter.com/ayayalar
•
May 30
@aaronpk little disappointed that you sell pdf/ePub editions of OAuth 2.0 Simplified separately.
Yeah it's mainly a technical limitation of the platform we used for publishing it. If you send me a receipt, I'll send you the other format! -
Barbara Schachner
https://twitter.com/barschachner
•
May 31
I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“).
Love those standards and their capabilities - but are they getting too complicated?
Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
