Am 28.10.20 um 12:00 schrieb Warren Parad:
> I would likewise assume that issuer validation is always required. But
> maybe I hadn't been thinking about this enough. Is there an
> alternative to validating it, and implicitly trusting it? Because as
> you pointed out either demonstrated control ove
I would likewise assume that issuer validation is always required. But
maybe I hadn't been thinking about this enough. Is there an alternative to
validating it, and implicitly trusting it? Because as you pointed out
either demonstrated control over valid redirect URIs or really any other
secondary
Hi all,
during my work to update the Security BCP, I stumbled upon a problem in
our current recommendations against mix-up attacks.
Until now, our understanding was that adding an "iss" parameter in the
authorization response and using a distinct redirect URI for each
configured issuer provided t
