Hi James, > A client that follows HTTP redirects (or Link: header or any > other variety of hypertext) might get directed to an 2nd > service while still using the token from the 1st service.
But why would a legitimate authorization server redirect the client to an attacker's server? Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
