Google's "Using OAuth 2.0 for Client-side Application" article at http://ift.tt/Hy47Ku states that the client MUST validated all access tokens to verify that it was the intended recipient of the access token, in order to avoid being vulnerable to the confused deputy problem.
I believe proper use of the OAuth "state" parameter can also prevent this vulnerability. "Proper use" being cryptographically and securely binding the state parameter value to the current browser session. This can be done by hashing a combination of the session ID and a nonce (I'm not sure if including the nonce is necessary).
I have two questions:
My primary question is: Can proper use of the OAuth "state" parameter, along with using TLS with server certificate validation, mitigate the confused deputy problem, without validating the audience of the access token, for some definition of "proper use" that mitigates cross site request forgery?
My secondary question is: Is cross site request forgery a type of confused deputy problem? And if "yes", then isn't the answer to my primary question also "yes" necessarily?
Aucun commentaire:
Enregistrer un commentaire