|
|
|
|
|
|
by brewmarche
909 days ago
|
|
|
To illustrate why OIDC introduced audience validation: When you separately request user info from an endpoint with an access token (which according to OG OAuth2.0 is just an opaque string, which cannot be validated) that access token could be someone else’s, possibly from a user who logged into a different, malicious application which somehow managed to trick you into using that token |
|
|