Am 03.12.19 um 10:21 schrieb Christian Mainka:
> Hi,
>
> according to [1], countermeasure (1) describes to
>
>> configure [the] authorization servers to return an AS identitifier
> ("iss") and the "client_id" for which a code or token was issued in the
> authorization response.
>
> So if an MixUp attack is running, the victim contacts A-AS but is
> redirected to to H-AS [2].
> The AS adds - according to the countermeasure - two additional
> parameters to the authorization response: client_id and issuer. Both
> values are set by H-AS, so it returns H-issuer and H-client_id.I asked for clarification because I would assume that the mix-up attack is twharted at this point. The client would see H-issuer instead of A-issuer, to which it sent the user. I agree that the client_id is not of much value here. -Daniel
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
