Hi,
I'm currently implementing the RFC 8898 and I have a question regarding
this specific paragraph (in
https://www.rfc-editor.org/rfc/rfc8898#name-security-considerations):
/The UAC MUST check the AS URL received in the 401/407 response
against a list of trusted ASs configured on the UAC in order to
prevent several classes of possible vulnerabilities when a client
blindly attempts to use any provided AS./
Is it possible to have some precision on the kind of vulnerabilities
that not checking the returned AS URL in the UAC could cause? This
actually change the purpose of this RFC as it doesn't allow anymore to
discover some new AS but more to guide the UAC to a specific AS based on
its own list.
Regards,
Timothée Jaussoin/
/
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
