[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Torsten Lodderstedt torsten at lodderstedt.net
Thu Apr 14 14:40:50 UTC 2016


How and when shall we start to put the pieces together?

Am 14.04.2016 um 13:03 schrieb John Bradley:
> Yes.
>
> We should also work on a alternative for fragment for in browser JS.  We do have a couple of proposals at this point.
>
>> On Apr 14, 2016, at 6:02 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>
>> Am 12.04.2016 um 23:28 schrieb John Bradley:
>>> Basically fragment encoding is not a good idea any more other than for JS in the browser or for native apps using view controllers or system browsers.
>>>
>>> Servers really should support the form post response mode.
>> This should go into the new security threat model and mitigations document we talked about in the OAuth session.
>>



More information about the Openid-specs-ab mailing list