Hi,
This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected.
Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us!
Please reach out if you'd like to discuss further,
Best,
- Alec
Am I impacted?
You are probably not impacted if UMA clients only interact with known resource and authorization services.
You might be impacted if the following are true:
* the UMA client is able to start flows with any UMA resource server
* the UMA client is able to start flows with any UMA authorization server
* the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS
Alec Laws
CTO
Engineering | IDENTOS Inc.
|
|
|
|
|
|
|
|
|
|
|
|
