Channel 9 Live Interview with Dominick Baier

Sign in to queue

Description

Join us as we meet with MVP, Dominic Baier, to discuss all things Identity and Access Control

Day:

1

Session Type:

Channel 9 Live

Code:

C9L04

Room:

Channel 9 Stage

Embed

Download

Download this episode

The Discussion

  • User profile image
    ghanashyaml

    Hi, at 13:03 Dominic mentions that a random number hash is sent to the STS from the client , in the first leg and in the last leg, the random number is sent in clear text. The STS will hash the random number and try to match the hashes. In my thinking, in this case, the STS needs to know the hashing algorithm used by the client and uses the same one or use the certificate public key for this purpose? Related questions; if the attacker is able to intercept the access_token, code/identity_token, he might be also in a position to intercept the clear text being sent to the STS and hence can do a re-play of the same request. Is the code one time use? If yes, what happens if the client wants an access_token for another service it needs to invoke?

  • User profile image
    sethjuarez

    @ghanashyaml: I asked and Brock responded as follows:

    "the answer is 'yes', and the spec is here: tools.ietf.org/html/rfc7636. also, the mitigation is against the shared front-channel only - not back"

    His tweet.

Add Your 2 Cents