response_modes is being registered in the metadata registry in https://openid.net/specs/fapi-message-signing-2_0-02.html#section-8- Filip
I know that the OAuth 2.1 spec has refrained from defining new
client metadata parameters, but maybe we should reconsider.
A "response_modes" parameter can help prevent unwanted switches
or downgrade attacks for a given client.
On several occasions I argued to define such a client metadata
parameter for PKCE, "code_challenge_method".
Vladimir Dzhuvinov
On 04/11/2025 06:09, Primbs, Jonas
wrote:
Hi all,
It references OpenID Connect’s response modes (fragment and
form_post) as solutions for Browser-Swapping attacks, which I
have presented in today’s OAuth WG meeting.
I’m interested in your feedback on this first draft, which
currently covers only recommendation #2 from my slides, because
this is probably the least controversial change.
If you are attending onsite, also feel free to speak to me in the
hallway. My company gave me enough of the „No, PKCE…“ t-shirts for
the rest of the week, so that it’s easier for you to find me.
@Brian & Mike: I have learned from the best ;-)
Greetings,
Jonas
Jonas Primbs M.Sc.
University of Tübingen
Faculty of Science
Department of Computer Science
Sand 13, 72076 Tübingen, Germany
Tel.: (+49) 7071 / 29-70512
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
|
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
