Am 02.12.19 um 10:05 schrieb Christian Mainka: > I think this problem is not only restricted to the redirect_uri. > Regarding countermeasure (1), also the A-AS can return the same > client_id as the client uses on the H-AS. > > TL;DR: In countermeasure (1), only the issuer prevents MixUp, the > client_id parameter can be faked as well during the registration of the > client (especially if Dynamic Client Registration is used).
What would be the issuer identifiers of A-AS and H-AS in this case be, as seen by the client? -Daniel
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
