Public Review Period for “Financial API – Part 2: Read and Write API Security Profile” Started

OpenID Foundation’s Financial API (FAPI) Working Group recommends approval of the following specification as OpenID Implementer’s Draft: Financial API – Part 2: Read and Write API Security Profile, draft 02 This document is a Part 2 of a set of documents that specifies a Financial API. It provides a profile […]

Public Review Period for “Financial API – Part 1: Read Only API Security Profile” Started

OpenID Foundation’s Financial API (FAPI) Working Group has advised the foundation to start the public review period for consideration as an Implementer’s Draft for the specification: Financial API – Part 1: Read Only API Security Profile, draft 01 It is a specification that documents the security profiles of OAuth 2.0 and […]

Preventing Mix-Up Attacks with OpenID Connect

Recently the OAuth community has been concerned with some attack vectors around mixed up clients, particularly when dynamic client registration and discovery are used with user-selected OpenID Providers. Broadly, the attacks consist of using dynamic client registration, or the compromise of an OpenID Provider (OP), to trick the Relying Party […]

Introducing RISC: Working together to protect users

According to a recent Gallup poll, more people are worried about their online accounts being hacked than having their home broken into.With more and more of our digital lives accessible online, attackers are redoubling efforts to steal our personal information, and increasingly exploiting the interconnectedness of web services and apps […]

Industry Leaders Lead: Google Asks Developers to Migrate from OpenID 2.0 to OpenID Connect 1

In 2015, waves of disruption are coursing through the Internet identity ecosystem as standard development organizations, companies and governments look to bolster the security and privacy of the information they are charged with protecting. Implementing the latest open standards is one of the many practical steps identity providers and relying […]

Covert Redirect

“Covert Redirect”, publicized in May, 2014, is an instance of attackers using open redirectors – a well-known threat, with well-known means of prevention. The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability. Please see Section 4.2.4 of RFC 6819 ( for more information on […]

Attribute Exchange Security Alert 15

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). See below for information on the suggested fix. The researchers determined that some sites were not confirming that the information passed through AX was signed. That allows an attacker to modify the […]