Hi,
> On 27. Nov 2019, at 15:04, Pedram Hosseyni
> wrote:
>
> Hi Mike,
>
> > Wouldn't most RSs only trust access tokens from a single AS anyways?
>
> At the last OSW, there was broad agreement that this is typically the case.
> Otherwise, the mitigation that we suggested in the paper would n
Hi Mike,
> Wouldn't most RSs only trust access tokens from a single AS anyways?
At the last OSW, there was broad agreement that this is typically the
case. Otherwise, the mitigation that we suggested in the paper would not
prevent the attack.
> Would it be reasonable for the document to reco
Hi Pedram,
I understand why a client would need to allow use of multiple authorization
servers if the client needs to access various resource servers each of which
may trust different ASs (e.g. the client supports accessing resources at
multiple cloud storage services).
However, how common is
