You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The application can use DPoP to ensure its access tokens are bound to non-exportable key held by the browser. In that case, it becomes significantly harder for the attacker to abuse stolen access tokens. More specifically, with DPoP, the attacker can only abuse stolen application tokens by carrying out an online attack, where the proofs are calculated in the user's browser. This attack is described in detail in section 11.4 of the {{DPoP}} specification. Additionally, when the attacker obtains a fresh set of tokens, as described in {{payload-new-flow}}, they can set up DPoP for these tokens using an attacker-controlled key pair. In that case, the attacker is again free to abuse this newly obtained access token without restrictions.
The text was updated successfully, but these errors were encountered:
this reads strange, not sure, but is there an "a" or "s" missing?
oauth-browser-based-apps/draft-ietf-oauth-browser-based-apps.md
Line 322 in 11ee6bc
The text was updated successfully, but these errors were encountered: