[Openid-specs-fapi] Issue #88: Sender constraining the code (openid/fapi)
Nat Sakimura
nat at sakimura.org
Wed May 3 07:28:29 UTC 2017
Actually, please ignore this. I probably am too tired now.
The `code` for a confidential client is sender constrained anyways.
---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2017-05-03 16:12, Nat Sakimura via Openid-specs-fapi wrote:
> New issue 88: Sender constraining the code
> https://bitbucket.org/openid/fapi/issues/88/sender-constraining-the-code
>
> Nat Sakimura:
>
> For AS that provides request object registration endpoint, the AS can
> actually bind the `code` to the client certificate that was used to
> authenticate at the request object registration endpoint. This
> mitigates the `code` phishing attack.
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list