[Openid-specs-fapi] Issue #91: Id mix up attack (openid/fapi)

tomcjones issues-reply at bitbucket.org
Sat May 6 16:30:34 UTC 2017


New issue 91: Id mix up attack
https://bitbucket.org/openid/fapi/issues/91/id-mix-up-attack

tomcjones:

I frankly do not understand how to implement the following from this section. Is the implication that only dynamic registration will provide the functionality?And by implication that this applies to a secure implementation of OpenID Connect as well?


 By registering a unique redirect_uri, storing it before each session, and then comparing the current callback redirect_uri to that stored in the session, the client can mitigate this attack.




More information about the Openid-specs-fapi mailing list