[Openid-specs-fapi] Issue #91: Id mix up attack (openid/fapi)

tomcjones issues-reply at bitbucket.org
Sat May 6 16:30:34 UTC 2017

New issue 91: Id mix up attack


I frankly do not understand how to implement the following from this section. Is the implication that only dynamic registration will provide the functionality?And by implication that this applies to a secure implementation of OpenID Connect as well?

 By registering a unique redirect_uri, storing it before each session, and then comparing the current callback redirect_uri to that stored in the session, the client can mitigate this attack.

More information about the Openid-specs-fapi mailing list