Skip to main content

10.4.1. DDoS Attack on the Authorization Server

10.4.1. DDoS Attack on the Authorization Server

A set of malicious clients can launch a DoS attack to the authorization server by pointing the request_uri to a URI that returns extremely large content or is extremely slow to respond. Under such an attack, the server may use up its resource and start failing.

Similarly, a malicious client can specify a request_uri value that itself points to an authorization request URI that uses request_uri to cause the recursive lookup.

To prevent such an attack from succeeding, the server should a) check that the value of the request_uri parameter does not point to an unexpected location, b) check that the media type of the response is application/oauth-authz-req+jwt, c) implement a timeout for obtaining the content of request_uri, and d) not perform recursive GET on the request_uri.

Last updated on