> Session cookies serve the same purpose in web apps as access tokens for APIs
> but there are much more web apps than APIs. I use the analogy to illustrate
> that either there are security issues with cloud deployments of web apps or
> the techniques used to secure web apps are ok for APIs as
Am 02.12.19 um 10:05 schrieb Christian Mainka:
> I think this problem is not only restricted to the redirect_uri.
> Regarding countermeasure (1), also the A-AS can return the same
> client_id as the client uses on the H-AS.
>
> TL;DR: In countermeasure (1), only the issuer prevents MixUp, the
>
Hi Daniel,
I think this problem is not only restricted to the redirect_uri.
Regarding countermeasure (1), also the A-AS can return the same
client_id as the client uses on the H-AS.
TL;DR: In countermeasure (1), only the issuer prevents MixUp, the
client_id parameter can be faked as well during