0

OpenID Connect has discovery endpoints containing a JKWS endpoint to get public keys to validate Identity and Access tokens.

So for example:

  • I have a desktop application which gets an Identity token from the STS
  • the application gets the jwks_uri from the Discovery document
  • the application gets the public keys from this uri and validates the Identity token

So a man-in-the-middle attacker (like malware on a PC) can:

  • intercept an Identity token from the STS, modify it and sign it with its own private key
  • intercept the jwks_uri request and return its own public key(s)

Now the attacker can send anything he likes without the application knowing it?

Kapé
  • 103
  • 3

1 Answers1

1

You cannot defend against this. What you have described is a totally pwned computer. The only thing to do is wipe and reformat. In general, you cannot do anything sensitive on a compromised or potentially compromised computer.

So don't worry about this. Make your app secure from network attacks and let the user determine whether their computer is secure.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • It can also be seen as a 'crack' which causes my application to behave differently.. But still seems like this can't be prevented, or maybe only by embedding the certificate in the client? – Kapé Jun 06 '16 at 07:58
  • 1
    @Kapé cert pinning may make an attacker's job harder, but it isn't perfect because, given the situation you've described, you can't be sure that your code hasn't been modified. Also, the attacker has access to your memory so they can read/write data directly from there – Neil Smithline Jun 06 '16 at 13:53