Ross Horne

Hi all, I'm bumping this, since I think it wasn't resolved and is critical, as mentioned here: https://github.com/solid/solid-oidc/issues/221 Would it make sense to resolve this thread as an editorial decision...

I see the update @woutermont links to above suggests extending WAC to address the problem. That's fine technically, but it just means that WAC converges more with ACP (as noted...

Hi Aaron, That's a classic authentication mistake to think that since a client thinks it's binding to a session that cannot be manipulated. I maintain that "Auth 1" is required....

Hi @woutermont thanks for reinforcing RFC 9207. I wonder what is the best concrete strategy to implement this in the specifications. Both the Solid OIDC primer and spec should be...

Hi Aaron, Wouter, Frederick?, Laurens?, and other OIDC experts. We could schedule a special topics meeting on this. How about 24 October? That seems to be the next slot in...

Thank you @elf-pavlik. Here are some key references from last time that are safe to post, since they are in public domain and covered by RFC 9207. The original work...

Hi @elf-pavlik @acoburn excuse me. I must have mixed up time zones (I'm available now). I think your resolution is good OK. I can contribute a short explanation when writing.

Already having RFC 9207 as MUST (most places) plugs most Cross-Site Request Forgery (CSRF) attacks I was worried about, so that's great. However, for the record, I was also wanting...