Because UMA leverages OAuth transactions, it is vulnerable to these same
attacks. However, they can be mitigated by use of existing Proof Key for
Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has
implemented PKCE in MITREid Connect. Not sure about other implementations.
Sarah
Sarah Squire
Engage Identity
http://engageidentity.com
On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA?
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma