Isn’t this essentially what is mitigated in the FAPI-compliant OIDC CIBA by: 1. Requiring the client to initiate the flow with signed request parameters which include, via some hint, the resource owner for whom authentication is being requested 2. Requiring that the OP check that the resource owner approving the grant is the same as that the client associated with the request in step 1
I realise this requires that the client obtains an indication of the username of the resource owner up front to kick things off, but short of this I cannot think of any practical mitigation. On 18 Mar 2022, at 7:09 am, Pieter Kasselman <pieter.kasselman=40microsoft....@dmarc.ietf.org<mailto:pieter.kasselman=40microsoft....@dmarc.ietf.org>> wrote: ant problem by enabling authorization flows on devices that are unable to support a browsers or have limited input capabilities. However, looking back over the past 18-24 months, there have been a number of practical exploits published that use social en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
