[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Torsten Lodderstedt torsten at lodderstedt.net
Thu Apr 14 10:02:54 UTC 2016

Am 12.04.2016 um 23:28 schrieb John Bradley:
> Basically fragment encoding is not a good idea any more other than for 
> JS in the browser or for native apps using view controllers or system 
> browsers.
> Servers really should support the form post response mode.

This should go into the new security threat model and mitigations 
document we talked about in the OAuth session.

More information about the Openid-specs-ab mailing list