Hi George,
client impersonation is covered extensively in RFC6749 already, with
further recommendations in RFC6819. The basics of this attack have not
changed since public clients where introduced, but, as you mention, on
mobile operating systems we see new mechanics for authenticating clients
(or
While this is mostly covered in section 8.6 of RFC 8252 for native apps,
I wonder if we shouldn't mention "Client Impersonation" in this doc as
well in that any public client can be easily impersonated. Mobile OS's
are providing additional mechanisms for "authenticating" the client but
it's unc
Hi all,
this version most importantly updates the recommendations for Mix-Up
mitigation, building upon
https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00. The
description of Mix-Up attacks has also been improved.
Smaller changes:
* Make the use of metadata RECOMMENDED for both serv
