Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


A more robust, and proper authN/authZ mechanism is being explored.

Introduction and Context

Certain RESTful admin functions of the IdP e.g. account lockout, by default use IP authentication. Consequently, a Cross-Site Request Forgery (CSRF) attack would exploit the authorisation granted to the IP address of the users network host - from which the browser makes the request - to invoke certain admin functions cross site.