> Rejecting a GET with code in the URL means that the code is never
"used" at the AS, so can still be exchanged for an access token; and
rejecting the request does not mean it won't leak
That's a good point Thomas. I still think secure OAuth workflows should
totally avoid putting any kind of sensi
Rejecting a GET with code in the URL means that the code is never "used" at
the AS, so can still be exchanged for an access token; and rejecting the
request does not mean it won't leak. So reject if you like from the user's
point of view, but "consume" the code anyway (and then immediately revoke
t
Hello,
Implementing mTLS on the RS side raised the following question:
What error code should the RS return if the x5t#S256 bound to the access
token token doesn't match the hash of the submitted client certificate?
Here are the error codes already defined in "bearer token usage":
https://tools
