Add clarification on mix-up mitigation
Daniel Fett
Branch: danielfett/fapi2/mix-up-mitigation
Branch: master
Merged
Merged pull request
Merged in danielfett/fapi2/mix-up-mitigation (pull request #163)
Merged in danielfett/fapi2/mix-up-mitigation (pull request #163)
I think that per-issuer redirect URIs can be tricky to implement. In particular, they must not be confused with per-AS redirect URIs, as that would not mitigate mix-up (see this blog post).
I propose that we make the
iss
paramter in the authorization response mandatory and therefore give each client an easy option to prevent mix-up.