Sender constraining the code

Issue #88 invalid
Nat Sakimura created an issue

For AS that provides request object registration endpoint, the AS can actually bind the code to the client certificate that was used to authenticate at the request object registration endpoint. This mitigates the code phishing attack.

Comments (1)

  1. Nat Sakimura reporter

    It is constrained as we require PKCE in the public client case. For confidential client case, RFC6749 is already sender constraining.

  2. Log in to comment