Am 03.12.19 um 10:21 schrieb Christian Mainka: > Hi, > > according to , countermeasure (1) describes to > >> configure [the] authorization servers to return an AS identitifier > ("iss") and the "client_id" for which a code or token was issued in the > authorization response. > > So if an MixUp attack is running, the victim contacts A-AS but is > redirected to to H-AS . > The AS adds - according to the countermeasure - two additional > parameters to the authorization response: client_id and issuer. Both > values are set by H-AS, so it returns H-issuer and H-client_id.
I asked for clarification because I would assume that the mix-up attack is twharted at this point. The client would see H-issuer instead of A-issuer, to which it sent the user. I agree that the client_id is not of much value here. -Daniel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth