[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
John Bradley
ve7jtb at ve7jtb.com
Thu Apr 14 14:43:19 UTC 2016
For this we have one proposal from Google in Connect and another proposal from Nov in OAuth.
I think there is a effort to reconcile them. This is JS API stuff more than network based, so needs experts.
John B.
> On Apr 14, 2016, at 10:40 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>
> How and when shall we start to put the pieces together?
>
> Am 14.04.2016 um 13:03 schrieb John Bradley:
>> Yes.
>>
>> We should also work on a alternative for fragment for in browser JS. We do have a couple of proposals at this point.
>>
>>> On Apr 14, 2016, at 6:02 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>
>>> Am 12.04.2016 um 23:28 schrieb John Bradley:
>>>> Basically fragment encoding is not a good idea any more other than for JS in the browser or for native apps using view controllers or system browsers.
>>>>
>>>> Servers really should support the form post response mode.
>>> This should go into the new security threat model and mitigations document we talked about in the OAuth session.
>>>
>
More information about the Openid-specs-ab
mailing list