Tonight’s light reading

OAuth 2.0 Authorization Server Issuer Identification
Okay, so this is something that addresses the conversation in GNAP right now.
A mix-up attack is where a client, which interacts with multiple AS uses one that has become compromised (AAS) and it is proxying & rewriting from an uncompromised AS (HAS)
I wish acronyms weren’t explained more often
JARM (Jwt secured Access Response Mode) is such a weird name to me
Yeah I guess so. If the client is just following redirects (and it so happens to start with the Adversary’s AS (AAS) and ends with the Honest AS (HAS), the mix up isn’t actually a MITM attack, but something else in the protocol.

So my earlier interpretation of a mix up was off.
Looking back at the GNAP graph, I see where I mixed things up (oh the pun).

While the AAS does contact the HAS and rewrites the response, the client also communicates with the HAS using the modified interaction / session.

So, a bit of both I guess.
Wrapping up: OAuth 2.0 Authorization Server Issuer Identification appears to help outside of JARM as a mitigation to mix up attacks. While the introduction does not sufficiently edify me on the circumstances this mitigation applies to, the proposal is minimal and sound.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Cendyne

Cendyne Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CendyneNaga

11 Jun
Ah how about

Client-Cert HTTP Header Field: Conveying Client Certificate Information from TLS Terminating Reverse Proxies to Origin Server Applications

For tonight’s light reading
Brian Campbell produces a lot of interesting things. Let’s see what’s inside. Image
Hooray, some attention is being given to mutual TLS Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!