[Openid-specs-fapi] Issue #88: Sender constraining the code (openid/fapi)
nat at sakimura.org
Wed May 3 07:28:29 UTC 2017
Actually, please ignore this. I probably am too tired now.
The `code` for a confidential client is sender constrained anyways.
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2017-05-03 16:12, Nat Sakimura via Openid-specs-fapi wrote:
> New issue 88: Sender constraining the code
> Nat Sakimura:
> For AS that provides request object registration endpoint, the AS can
> actually bind the `code` to the client certificate that was used to
> authenticate at the request object registration endpoint. This
> mitigates the `code` phishing attack.
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
More information about the Openid-specs-fapi