In general, since UMA uses straight OAuth2 and Dynamic Client Registration, whatever mitigations are arrived at will apply to UMA. The place where UMA adds something to the flow is the initial request to the resource server without a RPT. If the RS is malicious, it can direct the client to a malicious AS which could perform these attacks. An email with a link to a resource on the malicious RS could start the attack. To me this feels like another form of phishing but it would feel seemless to the user (being directed to a well know "good" IdP for authentication) and providing that code or token to the Bad AS exposing the user. I curious if others have thought through this aspect.

Thanks,
George

On 1/10/16 4:59 PM, Eve Maler wrote:

To read relevant links and commentary, please see these two OAuth and OpenID Connect email threads:

https://mailarchive.ietf.org/arch/msg/oauth/JIVxFBGsJBVtm7ljwJhPUm3Fr-w

http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20160104/005911.html

If anyone thinks we need to add something beyond our current security considerations, it would be good to open a new issue and propose a severity level.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma