search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

Evaluate OAuth 2.0 Mixup Mitigation #2444

Open leastprivilege opened 8 years ago

leastprivilege commented 8 years ago

http://self-issued.info/?p=1524

truthbeliever commented 8 years ago

that means identityserver3 all versions are concerned?

leastprivilege commented 8 years ago

I will tell you once I evaluated it ;)

Katana does not have an issue - but other client libraries might.

leastprivilege commented 8 years ago

update

https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01

leastprivilege commented 8 years ago

More info

http://nat.sakimura.org/2016/01/22/code-phishing-attack-on-oauth-2-0-rfc6749/