I watched one of those videos and it seems to be that a proper consent screen
would have been the best and easiest line of defense. Is there something more
to the attacks where a better consent page (or any consent page for that
matter) would not have been sufficient?
-Brock
On 3/17/2022
Isn’t this essentially what is mitigated in the FAPI-compliant OIDC CIBA by:
1. Requiring the client to initiate the flow with signed request parameters
which include, via some hint, the resource owner for whom authentication is
being requested
2. Requiring that the OP check that the resource
Hi All
One of the agenda items for IETF 113 is the device authorization grant flow
(aka device code flow), scheduled for Thursday 24 March 2022. Before the
meeting, I wanted to share a bit more information for those interested in the
topic and also give those who are unable to attend in
Way back when we wrote dynamic registration, we made the decision to always
have the registration token just be a bearer token. Part of this is because
OAuth2 doesn’t really have a separate “access token” data structure that we
could just replicate in this spot, so there’s no “token type” or