...
- Track a victims activity because it is happening in their own session.
- Trick the victim into entering sensitive information into an attackers session/account e.g. bank account details etc.
Appendix A describes an example Login CSRF attack on the IdP.
Option 1 - ViewScoped CSRF Token
...