Add clarification on mix-up mitigation

#163 · Created  · Last updated

Merged pull request

Merged in danielfett/fapi2/mix-up-mitigation (pull request #163)

  • 9152eff
  • Author:
  • Closed by:
  • 2020-11-07


I think that per-issuer redirect URIs can be tricky to implement. In particular, they must not be confused with per-AS redirect URIs, as that would not mitigate mix-up (see this blog post).

I propose that we make the iss paramter in the authorization response mandatory and therefore give each client an easy option to prevent mix-up.

0 attachments

Loading commits...