Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Version Notification for draft-fett-oauth-dpop-03.txt

> Session cookies serve the same purpose in web apps as access tokens for APIs > but there are much more web apps than APIs. I use the analogy to illustrate > that either there are security issues with cloud deployments of web apps or > the techniques used to secure web apps are ok for APIs as

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

Am 02.12.19 um 10:05 schrieb Christian Mainka: > I think this problem is not only restricted to the redirect_uri. > Regarding countermeasure (1), also the A-AS can return the same > client_id as the client uses on the H-AS. > > TL;DR: In countermeasure (1), only the issuer prevents MixUp, the >

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

Hi Daniel, I think this problem is not only restricted to the redirect_uri. Regarding countermeasure (1), also the A-AS can return the same client_id as the client uses on the H-AS. TL;DR: In countermeasure (1), only the issuer prevents MixUp, the client_id parameter can be faked as well during