Issuer Confusion
Issuer Confusion is an attack which targets the Discovery phase of the protocol and bypasses the verification check specified in the OIDC Specification, Section 3.1.3.7: ”The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.“.
The Attacker OP sets the issuer parameter to an during the Discovery phase. As a result the Client can be confused that the controls the identities of the Honest OP.
To perform an Issuer Confusion attack an attacker has to act as an End-User and an Attacker OP simultaneously. The Attacker OP however, issues tokens containing the email address of the victim in order to log in his/her account on the Client.
If the issuer claim verification by a Client is not handled correctly, an attacker may be able to login as an arbitrary End-User of this application: To perform an Issuer Confusion attack an attacker has to act as an End-User and an simultaneously. Let the identity of the victim be represented by I**DV = subV : issV and the identity of the attacker by I**DA = subA : issA with issV and issue**rV (being the claim of the Provider’s Configuration Discovery Response) belonging to O**PV and issA and issue**rA belonging to O**PA. In theory, O**PA should not be able to send a valid Configuration Discovery Response cdr* containing issue**rV. In the attack however, the attacker uses her O**PA to send exactly cdr* to a Client with which her victim is registered. If the Client accepts cdr* and later on compares the claim of the ID Token (which also contains issV) to issue**rV from cdr* the attack is successful (and the attacker should be logged in with I**DV).
The OIDC Discovery Specification clearly states in Section 3 that “If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.”