10.4.2. Request URI Rewrite

The value of request_uri is not signed; thus, it can be tampered with by a man-in-the-browser attacker. Several attack possibilities arise because of this. For example, a) an attacker may create another file that the rewritten URI points to, making it possible to request extra scope, or b) an attacker may launch a DoS attack on a victim site by setting the value of request_uri to be that of the victim.

To prevent such an attack from succeeding, the server should a) check that the value of the request_uri parameter does not point to an unexpected location, b) check that the media type of the response is application/oauth-authz-req+jwt, and c) implement a timeout for obtaining the content of request_uri.

10.4.2. Request URI Rewrite​

10.4.2. Request URI Rewrite