Tuesday, February 25. 2025

Thanks for your research on this!

I have a small addition to the “Impact” section: Some OpenID Providers also double as plain OAuth Authorization Servers, and probably most of them also use the same signing keys to sign the OAuth access tokens – A profile of this was specified in retrospect in RFC 9068.

If an attacker is able to create access tokens on his own, he can also impersonate any user at any API / resource accepting those tokens.
#1 Julius (Homepage) on 2025-02-25 20:58 (Reply)

