Skip to content

Browser-Swapping #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Browser-Swapping #230

wants to merge 1 commit into from

Conversation

@JonasPrimbs
Copy link

@JonasPrimbs JonasPrimbs commented Nov 4, 2025

Added references to OpenID Connect response modes and addressed browser-swapping attack mitigation strategies.

@JonasPrimbs
Browser-Swapping
191d5e7 
Added references to OpenID Connect response modes and addressed browser-swapping attack mitigation strategies.
@OllieJC
Copy link

OllieJC commented Nov 5, 2025

Just throwing in another potential mitigation:

  • use POSTs with the authorisation endpoint (currently a MAY, could we bump to a SHOULD?)
  • auth servers should for a given client allow specifiying expected auth request URI method and then fail if request with another method is used
  • use response_mode=form_post
  • again, auth servers should allow specifiying expected response_mode and fail if different

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JonasPrimbs @OllieJC