|
|
|
|
|
|
by unscaled
2545 days ago
|
|
|
How do you deal with IdP/AS mix-up? The BCP recommends either sending back client_id and iss (but that draft[1] is long expired, and nobody seems to support that implementation), or asking the client to provider a separate exact-match return URI for each AS. The second solution is what I'm doing when implementing multi-AS/IdP OAuth clients, but this requires the clients to be aware of this vulnerability, and that's a rather tall requirement. [1] https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigati... |
|
|