On November 11th, I gave a speech at "APIDays Berlin 8: Banking APIs and PSD2017 — The finish line for PSD2 and Open Banking" held in Berlin, Germany.
Here is the slide from that time.
Several questions came up during the session.
Q.1 codeとstateWhat does it mean to protect?
A.1 In RFC6749, the authorization server should respond withcodeとstateTo protect this response from tampering, we need to sign it. A detached signature is achieved by putting a hash of the values of these parameters into the payload, creating a signature, and sending it along with the response. This detached signature is called ID TokenIt's not a very good name, but there's nothing we can do about it.
Q.2 Why?stateDo we need to protect the receivedstateWouldn't it be enough to compare it with what was sent?
A.2 An attacker can exploit the following vulnerability within his or her browser session:codeand ID Token at the same time,statecan be used as is. In this case,stateIt cannot be detected by comparing.stateとcodeIt is necessary to combine and sign the above in an ID Token and attach it as a detached signature to the response.
Q.3 My application uses Resource Owner Password Credentials Grant because I couldn't convince the business side. What should I have used?
A.3 Resource Owner Password Credentials Grant is deprecated and should not be used. It is still acceptable if the authorization server and the client are in the same security domain, but it should not be used as it facilitates phishing. If you have control over the authorization server, you should use the In-App browser tab [RFC8252] You should be able to fully control the look and feel of the , and achieve the same user interface as with Resource Owner Password Credentials. And by doing so, you will have two independent security contexts, which will satisfy the EBA requirements. Also, if your authorization server is a third party, using Resource Owner Password Credentials is "good faith phishing" and will break the moment your authorization server introduces phishing-resistant credentials.