[Openid-specs-ab] Forged id_token_hint
vladimir at connect2id.com
Tue Aug 16 15:28:05 UTC 2016
What are the implications for security when an RP supplies a forged
id_token_hint with an OpenID auth request?
RPs that are registered for HMAC-ed ID tokens can forge an ID token and
its subject (sub) with their client_secret, and submit that as an
id_token_hint. Has anyone thought about this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
More information about the Openid-specs-ab