Scanning the Internet for External Cloud Exposures via SSL Certs
OAuth 2.0 Public Client Secret Extension
1. Transient Client Secret Extension
for OAuth 2.0 Public Clients
http://tools.ietf.org/html/draft-
sakimura-oauth-tcse-01
Nat Sakimura
Nomura Research Institute
2. Problem Statement
• App selection by custom scheme is in
deterministic on iOS.
• Thus, code may be intercepted by a malicious
app that registered the same custom scheme
as the target app.
• Those apps are generally public client so does
not have client secret.
• As the result, the access token is obtained by
the malicious app at a rather high probability.
2
6. JSON Metadata for OAuth
Responses 1.0
http://tools.ietf.org/html/draft-
sakimura-oauth-meta-02
Nat Sakimura
Nomura Research Institute
6
7. Introducing metadata to
OAuth Responses
• Especially link relationships for HATEOAS (Hypermedia as the Engine of
Application State) but not limited to.
• It will give a stub element to put other metadata about the response.
7
{
"_links":{
"self":{"href":"https://example.com/token?code=123"},
"userinfo":
{
"href":"https://example.com/user/{user_id}",
"Authorize":"{token_type} {access_token}"
}
},
"token_type":"Bearer",
"access_token":"aCeSsToKen"
}