Open leastprivilege opened 8 years ago
http://self-issued.info/?p=1524
that means identityserver3 all versions are concerned?
I will tell you once I evaluated it ;)
Katana does not have an issue - but other client libraries might.
update
https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
More info
http://nat.sakimura.org/2016/01/22/code-phishing-attack-on-oauth-2-0-rfc6749/
http://self-issued.info/?p=1524