[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Torsten Lodderstedt torsten at lodderstedt.net
Sat Apr 23 11:36:22 UTC 2016


Am 15.04.2016 um 19:05 schrieb Brian Campbell:
> My view is still that the attack is enabled by an commission in OAuth 
> of the AS identifying itself in the authorization response. I think 
> the fix should be at that layer too. Progress in the OAuth WG isn't 
> exactly promising though... 
Why don`t we bring this discussion to the OAuth WG? It`s nearly the same 
group of people as on this list.


More information about the Openid-specs-ab mailing list