[Openid-specs-fapi] Issue #88: Sender constraining the code (openid/fapi)

Nat Sakimura nat at sakimura.org
Wed May 3 07:28:29 UTC 2017

Actually, please ignore this. I probably am too tired now.

The `code` for a confidential client is sender constrained anyways.

Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-05-03 16:12, Nat Sakimura via Openid-specs-fapi wrote:
> New issue 88: Sender constraining the code
> https://bitbucket.org/openid/fapi/issues/88/sender-constraining-the-code
> Nat Sakimura:
> For AS that provides request object registration endpoint, the AS can
> actually bind the `code` to the client certificate that was used to
> authenticate at the request object registration endpoint. This
> mitigates the `code` phishing attack.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list