Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recommend that native apps do not use DNS to resolve identity during OAuth #348

Open
Tracked by #339
matthieusieben opened this issue Oct 2, 2024 · 0 comments
Open
Tracked by #339

Comments

@matthieusieben
Copy link
Contributor

Currently the OAuth spec states:

In some client environments, it may be difficult to resolve all identity types. For example, handle resolution may involve DNS TXT queries, which are not directly supported from browser apps. Client implementations might use alternative techniques (such as DNS-over-HTTP) or could make use of a supporting web service to resolve identities.

The use of DNS from native devices has security & privacy implications. An attacker could listen, or worse, temper with DNS based identity resolution to lure users into entering their credentials on the wrong PDS.

We should adapt the spec to state that native devices "MUST" make use of SSL based solutions (DoH, HTTPS atproto identity resolution, or their own SSL protected service) in order to perform the resolution from a backend service.

@bnewbold bnewbold mentioned this issue Oct 3, 2024
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant