URLs in JWT scope
During a pentest I have found a JWT that seems to be a refresh-token issued by some IAM software.
The scope field in the JWT lists all the applications as URLs that this token can be used to obtain access tokens for.
From an attacker persp… Continue reading URLs in JWT scope