Hi Denis, thanks for correcting the thread topic:
On Tue, Mar 29, 2022 at 10:19 PM Denis <denis.i...@free.fr> wrote: > nothing stops Alice from logging in on Bob's device, obtaining tokens for > access and then leave Bob with the device, even in long term user accounts > > Even so, Alice will be unable to use that long term user account that has > been just opened the next time an access token will be requested by the RS, > unless she asks again to Bob to use again Bob's device. In such a case, > she has better to live very close to Bob. :-) > so I conclude that the security considerations of the spec on subject identifiers should stipulate that colluding clients must not live close to each other then... (or better, that the spec does not try to address this type of attack, same for DPoP) Hans. -- hans.zandb...@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
