Support OAuth 2.0 Authorization Server Issuer Identification standard

[mooreds]

Support OAuth 2.0 Authorization Server Issuer Identification

Problem

This standard helps prevent mixup attacks when you are using more than one IdP.

Solution

From the RFC:

This document defines a new parameter in the authorization response called iss. The iss parameter allows the authorization server to include its identity in the authorization response explicitly. The client can compare the value of the iss parameter to the issuer identifier of the authorization server (e.g., retrieved from its metadata) it believes it is interacting with. The iss parameter gives the client certainty about the authorization server's identity and enables it to send credentials such as authorization codes and access tokens only to the intended recipients. Therefore, the implementation of the iss parameter serves as an effective countermeasure to mix-up attacks.

Alternatives/workarounds

n/a

Additional context

https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-01.html

https://mailarchive.ietf.org/arch/msg/oauth/-wR52rCfXO7vXB_3T7TNTAb4AFQ/

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/1029
• https://github.com/FusionAuth/fusionauth-issues/issues/1832

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

Just moved to "Proposed standard" https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-04.html