...
Quorum: No
Meeting Minutes
Topics
Scenario, there is a UMA-based health data-sharing ecosystem
A provider(RqP) receives a (malicious/phising) email link to access a patients record (e.g. patient summary resource)
The provider opens the link in their EMR client
The link points to a malicious RS, which provides a ticket it has from an interaction with the target RS to access all available patients
The EMR client follows the WWW-authenticate header to the target AS, the Provider(RqP) is able to authenticate and grant access to the target resource
The EMR client negotiates a token and presents it to the malicious RS
The malicious RS can access the target RS with the token
Conditions:
the client trusts ANY RS
the issued token was a Bearer token
Mitigations:
informational
the client is informed of the RS aud when it receives the token
the provider is informed of the scope of access when authenticating (requires claims gathering)
technical: the client must authenticate to the RS at Resource access time
Plan for vulnerability report + publication
...