[Openid-specs-ab] Issue #1164: insecure front-channel use of private_key_jwt client authentication (openid/connect)
Brian Campbell
bcampbell at pingidentity.com
Tue Apr 21 13:10:07 UTC 2020
How did/does that work when client_assertion/client_assertion_type were
being tacked onto the authz request? Without reevaluating the bigger
approach, it sure seemed like client_assertion was trying to be used like a
signed request and so it seems like an actual signed request object should
just be a more appropriate replacement.
On Tue, Apr 21, 2020 at 12:57 AM Roland Hedberg <roland at catalogix.se> wrote:
>
> If we use signed request objects, do we mandate it for all authorization
> requests or just for the first one.
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200421/a1fd4b37/attachment.html>
More information about the Openid-specs-ab
mailing list