Am 06.04.20 um 16:09 schrieb Aaron Parecki: > > The injected authorization code would always refer to a different > session (started with a different nonce). The client would > therefore get an ID Token with a different nonce. The assumption > is that the client would then throw away both the ID Token and the > access token. > > > This is true as long as the client actually validates the ID token it > obtained at the token endpoint, even though it may have already > obtained one from the authorization response. (e.g. > response_type=code+id_token). It feels like this should be explained > in a little more detail, since having to validate two ID tokens to > protect against this attack is not necessarily obvious.
Thanks, that is an important point. I will propose some text on that. -Daniel
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
