Hi Mike,
we require exact redirect URI matching, which should solve the problem;
in PAR you can use a dynamic redirect_uri, but the PAR request must be
authenticated by the client then, making this attack unlikely.
-Daniel
Am 02.05.24 um 17:08 schrieb Michael Jones:
Hi Daniel and crew,
Do you believe this issue is addressed in the OAuth Security BCP? If
so, can you please add a reference to the pertinent text to this
issue, so we can close it on that basis?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
