[Openid-specs-fapi] Issue #91: Id mix up attack (openid/fapi)
issues-reply at bitbucket.org
Sat May 6 16:30:34 UTC 2017
New issue 91: Id mix up attack
I frankly do not understand how to implement the following from this section. Is the implication that only dynamic registration will provide the functionality?And by implication that this applies to a secure implementation of OpenID Connect as well?
By registering a unique redirect_uri, storing it before each session, and then comparing the current callback redirect_uri to that stored in the session, the client can mitigate this attack.
More information about the Openid-specs-fapi