[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
torsten at lodderstedt.net
Sat Apr 23 11:36:22 UTC 2016
Am 15.04.2016 um 19:05 schrieb Brian Campbell:
> My view is still that the attack is enabled by an commission in OAuth
> of the AS identifying itself in the authorization response. I think
> the fix should be at that layer too. Progress in the OAuth WG isn't
> exactly promising though...
Why don`t we bring this discussion to the OAuth WG? It`s nearly the same
group of people as on this list.
More information about the Openid-specs-ab