Covert Redirect Vulnerability with OAuth 2

5/7/2014, 7:27:45 PM
bulknews:
tl;dr Covert Redirect Vulnerability is a real, if not new, threat when combined with Implicit Grant Flow (not Code flow)
This Covert Redirect Vulnerability in OAuth 2 is an interesting one.
There’s a couple of defending arguments that this isn’t a flaw in OAuth itself.
While I agree that…
OpenID Connect mandates full length matching in redirect_uri validation according to other blogs, which should be good enough to avoid this problem, I guess. I have to check spec and implementation though.
http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2
« On being an OP of OpenID ConnectBlogOn Startups: How we develop new features extremely fast »