- changed status to invalid
Sender constraining the code
Issue #88
invalid
For AS that provides request object registration endpoint, the AS can actually bind the code
to the client certificate that was used to authenticate at the request object registration endpoint. This mitigates the code
phishing attack.
Comments (4)
-
reporter -
reporter - changed component to Part 2: Advanced
-
reporter - changed component to FAPI 1 – Part 2: Advanced
-
reporter - changed component to FAPI 1: Advanced
- Log in to comment
It is constrained as we require PKCE in the public client case. For confidential client case, RFC6749 is already sender constraining.