[Openid-specs-ab] Univ of Trier OAuth2 / OpenID Connect security flaw paper

Nat Sakimura sakimura at gmail.com
Sat Jan 9 15:27:13 UTC 2016


Thanks.

307 redirect is interesting but is there anyone using it in our context?
The reason why RFC6749 does not specify redirect method is to allow JS
based communications etc. as a framework and not to allow 307. Perhaps it
should be noted in the security considerations.

The other one is not new.

2016年1月9日土曜日、Mike Schwartz<mike at gluu.org>さんは書きました:

> OpenID Connect Gurus:
>
> New vulnerabilities identified by the Univ of Trier:
>
> http://www.scmagazineuk.com/researchers-find-two-flaws-in-oauth-20/article/463919/
>
> - Mike
>
> -------------------------------------
> Michael Schwartz
> Gluu
> http://gluu.org
> SSO / SAML / OpenID Connect / UMA / OAuth2
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160110/80845c7b/attachment.html>


More information about the Openid-specs-ab mailing list