Skip to content

Commit

Permalink
Merge pull request #217 from pmhsfelix/gh-25-clarify-redirect-uri-usage
Browse files Browse the repository at this point in the history 
gh-25: clarify applicability of the redirect_uri protection technique
  • Loading branch information
@jogu
jogu committed Jul 24, 2024
2 parents 5cbccf1 + ebc76b3 commit b76656e
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion openid-4-verifiable-presentations-1_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1141,7 +1141,10 @@ Such an attack is impossible against flows implemented with the Response Mode `f

However, the Response Mode `direct_post` is susceptible to such an attack as the result is sent from the Wallet out-of-band to the Verifier's Response Endpoint.

This kind of attack can be detected if the Response Mode `direct_post` is used in conjunction with the redirect URI, which causes the Wallet to redirect the flow to the Verifier's frontend at the device where the transaction was concluded. The Verifier's Response Endpoint MUST include a fresh secret (Response Code) into the redirect URI returned to the Wallet and the Verifier's Response Endpoint MUST require the frontend to pass the respective Response Code when fetching the Authorization Response. That stops session fixation attacks as long as the attacker is unable to get access to the Response Code.
This kind of attack can be detected if the Response Mode `direct_post` is used in conjunction with the redirect URI, which causes the Wallet to redirect the flow to the Verifier's frontend at the device where the transaction was concluded. The Verifier's Response Endpoint MUST include a fresh secret (Response Code) into the redirect URI returned to the Wallet and the Verifier's Response Endpoint MUST require the frontend to pass the respective Response Code when fetching the Authorization Response. That stops session fixation attacks as long as the attacker is unable to get access to the Response Code.

Note that this protection technique is not applicable to cross-device scenarios because the browser used by the wallet will not have the original session.
It is also not applicable in same-device scenarios if the wallet uses a browser different from the one used on the presentation request (e.g. device with multiple installed browsers), because the original session will also not be available there.

See (#implementation_considerations_direct_post) for more implementation considerations.

Expand Down

0 comments on commit b76656e

Please sign in to comment.