Am 03.12.19 um 10:21 schrieb Christian Mainka:
> Hi,
> according to [1], countermeasure (1) describes to
>> configure [the] authorization servers to return an AS identitifier
> ("iss") and the "client_id" for which a code or token was issued in the
> authorization response.
> So if an MixUp attack is running, the victim contacts A-AS but is
> redirected to to H-AS [2].
> The AS adds - according to the countermeasure - two additional
> parameters to the authorization response: client_id and issuer. Both
> values are set by H-AS, so it returns H-issuer and H-client_id.

I asked for clarification because I would assume that the mix-up attack
is twharted at this point. The client would see H-issuer instead of
A-issuer, to which it sent the user.

I agree that the client_id is not of much value here.

OAuth mailing list

Reply via email to