Abuse of incomplete/invalid identity tokens

An attacker may attempt to re-use an identity token that was acquired for another client or for another authorization session.

OpenID Connect Core 1.0 incorporating errata set 1 (OIDC, section 2)


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview