When we use the authorization code flow in the OIDC, I go to /authorization and then it redirect me to the OIDC provider's login page. On this login page there is something like redirectUrl query string, which contains link to /authorization with parameters like client_id, state, code_challenge etc. When I'm writing OIDC server, should I worry about this, that these parameters can be changed while user is on login page (e.g. by a malicious extension in the browser)? Maybe should I save these parameters in httponly, secure cookie after GET request on login page?
CodePudding user response:
When I'm writing OIDC server, should I worry about this, that these parameters can be changed while user is on login page (e.g. by a malicious extension in the browser)? Maybe should I save these parameters in httponly, secure cookie after GET request on login page?
hiding /authorize parameters beyond a plain sight of the user does not protect them from man-in-the-browser[1] attacker, where he/she would be able to access those data anyway.
OIDC specification allows to pass requests via JWT tokens which can optionaly be signed or even encrypted which should provide extra level of security in considered cases [2, 3].
As IDP you might defend you users with incorporating out-of-band transaction verification [1], where if user is aware about requested login transactions, might infere that extra transaction is being made on his/her behaf or confirming message is missing in the authentication flow.
Also IDP instance should protects itself from registering services from unauthorized parties in order to prevent attackers from creating phishing sites, pretending being a legitimate service using legitimate IDP. The /authorize request contains service credentials (client id, client secret) which must be correctly verified by the IDP.
For more practical elaboration I'd recommend pentesterlab.com where Authentication/Authorization badge exercise series will allow you to learn and practice several attacks on OAuth and OIDC protocols and implementations.