I feel like somehow we discussed this once before. Would the required further UMA relationships (AAT etc.) be able to be formed in that case? If not, we'd be in the clear. Maybe we can find it in old WG meeting notes... I don't have the time right now, but maybe someone's willing to go on an Easter egg hunt. :-)


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Mon, Jan 25, 2016 at 10:58 AM, George Fletcher <george.fletcher@teamaol.com> wrote:
In general, since UMA uses straight OAuth2 and Dynamic Client Registration, whatever mitigations are arrived at will apply to UMA. The place where UMA adds something to the flow is the initial request to the resource server without a RPT. If the RS is malicious, it can direct the client to a malicious AS which could perform these attacks. An email with a link to a resource on the malicious RS could start the attack. To me this feels like another form of phishing but it would feel seemless to the user (being directed to a well know "good" IdP for authentication) and providing that code or token to the Bad AS exposing the user. I curious if others have thought through this aspect.

Thanks,
George

On 1/10/16 4:59 PM, Eve Maler wrote:
To read relevant links and commentary, please see these two OAuth and OpenID Connect email threads:
If anyone thinks we need to add something beyond our current security considerations, it would be good to open a new issue and propose a severity level.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl



_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma