> On 15 Feb 2021, at 08:32, Philippe De Ryck > <phili...@pragmaticwebsecurity.com> wrote: > > [...] > > Compared to using a worker for handling RTs, I believe the TMI-BFF only adds > a single security benefit: an attacker is no longer able to run a silent flow > to obtain a fresh set of tokens (since the client is now a confidential > client).
But they can just call the bff-token endpoint to do the same. If there is a security advantage, IMO it is as a defence in depth against open redirects, unicode normalisation attacks (ie not validating the redirect_uri correctly at the AS), etc. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
