Attacks on OAuth 2.0 and OpenID Connect: '307 Redirect' and 'IdP Mix-Up'

In [1], Fett et al. discover and discuss two attacks on OAuth 2.0 and OpenID Connect. The 307 Redirect Attack allows an attacker to learn the user's credentials when she logs in at an IdP that uses the wrong HTTP redirection status code. In the IdP Mix-Up Attack, the adversary confuses the client about which IdP the user chose. This allows the attacker to obtain an authentication code or an access token in order to access user data or impersonate the user.

Airlock IAM is not vulnerable to the 307 Redirect Attack, as redirects are only performed using the status code 302.

Airlock IAM is not vulnerable to the IdP Mix-Up Attack. Airlock IAM does not communicate with arbitrary IdPs, i.e., all IdPs are configured explicitly. Thus, the adversary is unable to confuse the client as described in the attack.

[1] D. Fett, R. Küsters, G. Schmitz. A Comprehensive Formal Security Analysis of OAuth 2.0. arXiv:1601.01229, 2016. http://arxiv.org/abs/1601.01229