Remix.run Logo
asimops a day ago

In the case of Attack scenario 2, I do not get why in a secure design you would ever forward the client originating data to the auth service. This is more of a broken best practise then a footgun to me.

The logic should be "Parse, don't validate"[0] and after that you work on those parsed data.

[0]: https://hn.algolia.com/?q=https%3A%2F%2Flexi-lambda.github.i...

securesaml a day ago | parent [-]

See: https://bsky.app/profile/filippo.abyssdomain.expert/post/3le... that was about a signature wrapping attack in crypto, but it also applies here.