Channel 9 Live Interview with Dominick Baier

Download this episode

Download Video

Description

Join us as we meet with MVP, Dominic Baier, to discuss all things Identity and Access Control

Day:

1

Session Type:

Channel 9 Live

Code:

C9L04

Room:

Channel 9 Stage

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image
      ghanashyaml

      Hi, at 13:03 Dominic mentions that a random number hash is sent to the STS from the client , in the first leg and in the last leg, the random number is sent in clear text. The STS will hash the random number and try to match the hashes. In my thinking, in this case, the STS needs to know the hashing algorithm used by the client and uses the same one or use the certificate public key for this purpose? Related questions; if the attacker is able to intercept the access_token, code/identity_token, he might be also in a position to intercept the clear text being sent to the STS and hence can do a re-play of the same request. Is the code one time use? If yes, what happens if the client wants an access_token for another service it needs to invoke?

    • User profile image
      sethjuarez

      @ghanashyaml: I asked and Brock responded as follows:

      "the answer is 'yes', and the spec is here: tools.ietf.org/html/rfc7636. also, the mitigation is against the shared front-channel only - not back"

      His tweet.

    Add Your 2 Cents