[Openid-specs-ab] Forged id_token_hint

Vladimir Dzhuvinov vladimir at connect2id.com
Tue Aug 16 15:28:05 UTC 2016


What are the implications for security when an RP supplies a forged
id_token_hint with an OpenID auth request?

RPs that are registered for HMAC-ed ID tokens can forge an ID token and
its subject (sub) with their client_secret, and submit that as an
id_token_hint. Has anyone thought about this?



Vladimir Dzhuvinov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160816/cea3e1d5/attachment.p7s>

More information about the Openid-specs-ab mailing list