Keycloak UMA vulnerabilities
Published:
Keycloak's UMA implementation seems tricky to me.
Malicious authorization server attack in UMA 2.0
Published:
In a previous post, I described a pass-the-permission-ticket vulnerability in UMA 2.0 in which a malicious UMA resource server could kindly ask a UMA client to give it access tokens actually intended for another UMA resource server. In this post, I am describing a similar attack when the authorization server is malicious.
Pass-the-permission-ticket vulnerability in UMA 2.0
Published:
In the User-Managed Access (UMA) 2.0 protocol, a malicious resource server (or a malicious server acting as a resource server) can obtain a requesting party (access) token (RPT) intended for another UMA resource server from a UMA client by passing a permission ticket obtained from the target resource server to the UMA client. This can compromise the privacy (confidentiality) and integrity of UMA protected resources.
UMA 2.0 diagrams
Published:
Some diagrams (mostly sequence diagrams) about UMA 2.0.
OAuth 2.x and OpenID Connect sequence diagrams
Published:
Some sequence diagrams about OAuth 2.x and OpenID Connect.
Introduction to TLS v1.3
Published:
Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of the different messages and be able to understand (and debug) a network traffic dump.
Introduction to TLS v1.2
Published:
Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher suites on security, etc. It includes several diagrams and many references.
Page 1 of 1 | Previous page | Next page | JSON Feed | Atom Feed | RSS Feed