[webhamster]

Does Hydra follow the OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics...)? I do not see PKCE or mix-up mitigation mentioned, for example.

[vwpolo3]

While not explicitly mentioned, PKCE is supported! And yes, that draft was an important guide during implementation.

[unscaled]

How do you deal with IdP/AS mix-up?

The BCP recommends either sending back client_id and iss (but that draft[1] is long expired, and nobody seems to support that implementation), or asking the client to provider a separate exact-match return URI for each AS. The second solution is what I'm doing when implementing multi-AS/IdP OAuth clients, but this requires the clients to be aware of this vulnerability, and that's a rather tall requirement.

[1] https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigati...

[webhamster]

There is no issuer in OAuth. Therefore, the distinct-redirect-URI solution is the most universal.