client.
> Anyone reverse engineering their own installation of the native app would
> only extract their own client's credentials, as opposed to the shared secret
> of all installations. Having a confidential client means that requests to the
> token endpoint (code, refresh) are client au
nfidential Client?
Which threats are covered if Dynamic Client Registration is used on
Native Apps?
Best Regards,
Vladi/Christian
[1]: https://tools.ietf.org/html/rfc8252#section-8.4
--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr-
PS URIs without wildcard domains or paths"
Covert redirect can be used by abusing unprotected GET parameters (which
are technically not the PATH).
So maybe it would be better to say simply "without wildcards" or
"without wildcard domains, paths, or querys"?
- Section 7.
irect_uri.
Regards
Christian
[1]:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.4.2
[2]: Step 4 in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.4.1
On 02.12.19 11:26, Daniel Fett wrote:
> Am 02.12.19 um 10:05 schrieb Chr
utomatically applied.
> These are more intrusive changes than the per-AS redirect URI and may
> require new parameters.
>
> Daniel
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
--
Dr.-Ing. Christian Mainka
Horst Görtz Insti
tergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr.
Christian Mainka, Dr. Marcus Niemietz
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/list
Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf
[2]: https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53
--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr University Bochum, Germany
Universitätsstr. 150, ID
, 27 Oct 2022, 02:16 Daniel Fett,
wrote:
Hi Christian,
thanks for bringing this to our attention! I think the recommendations in
the PR are very helpful and we will consider adding the text to the
document.
-Daniel
Am 25.10.22 um 15:37 schrieb Christian Mainka:
Hi,
we would like to request