Greetings,
Is this scenario any different from a PKCE downgrade attack, as described in
OAuth 2.0 Security Best Current Practice section 4.8.2 ?
Warm regards and happy new year!
Christopher Burroughs
Original Message
On Jan 5, 2022, 21:29, Benjamin Häublein wrote:
>
Greetings,
I apologize in advance if this question (my first in this list!) is silly :)
Regarding CORS support for the authorization endpoint, what about "web message"
silent refresh flows? While it never became an RFC, I reckon it is implemented
in quite a few places. Is this pattern generally
