Think of it from the PoV of the thing sending the access token. ... • Aaron Parecki

45°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is.

Mountain View, California • 49°F

Thu, May 2, 2019 10:13am -07:00

Have you written a response to this? Let me know the URL:

Posted in /replies using monocle.p3k.io