> > > If a response from the AS is untrusted, there are much bigger issues at > stake. ... or am I missing an obvious attack where random JSON would get > sent to the Client? >
For the web server flow, you know the AS server you called and can reasonably trust the data. For the user agent flow, attackers can create a URL with data and send it to you. This is OK (kind of) if the data is limited to an access token - this would allow an attacker to grant you access to their protected resources, which only has problems if you accidentally send protected data in an update to that account. But if you have other parameters that need to be vouched for by the AS, then it is insecure. > > -- Dick >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
