Seen similar issues with SAML in the past. SP correctly verified the assertion, then redirected the user to the real app path with his email address as (exchangeable) parameter. On IdP/AS side it’s of course even more severe...

I feel logical bugs around OAuth/OIDC/JWT handling are on the rise - and they are like the login form SQL injections of the past („be whoever you want to be“). Love those standards and their capabilities - but are they getting too complicated?

Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.

I don’t see how this is related to the OIDC protocol flow. Can you please elaborate?

Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).

High complexity means? Are you aware of solutions for Id federation that are simpler to use and secure?

No, just SAML and wouldn’t call it less complicated, just maybe so obviously complicated that only few tried to do the XML handling themselves and rather used proper libs😀 Really don’t want to criticize anyone.I have high respect for everyone inventing/maintaining such standards

Well, after 18 years, XML DSig libs still exhibited critical normalization bugs last year. It has been continuing and I expect it to continue. That's why we removed any and all normalization from JWS. That was one of the first decision I and @ve7jtb made. Just a data point.

And so did Verified / Verifiable Credentials specs. ** sigh **