-
Notifications
You must be signed in to change notification settings - Fork 14
Token Recipient Confusion
CheariX edited this page Jul 21, 2016
·
1 revision
Each ID token is intended to be used for a specific Client. This is indicated by the aud (audience) parameters as shown below. The aud parameter contains the client_id of the recipient Client and must be checked according to the OIDC Specification, Section 3.1.3.7, Step 3.
Header: { "alg": "HS256" }
Body: {
"iss": "http://openidConnectProvider.com/",
"sub": "user1",
"exp": 1444148908,
"iat": 1444148308,
"nonce": "40c6b33b9a2e",
--> "aud": "theClientId", <--
}
Signature: AF45JF93LKD76D....
If this check is missing, an attacker can reuse tokens that are intended to be used on a different Client. He can set up his own malicious Client, for example, a harmless weather forecast service and lure the victim to login. The attacker then receives the ID token that is intended to be used on that weather forecast service, but reuse it on a different Client. As a result, the attacker will get access on the targeted Client in context of the victim.