In the create-credential algorithm, the user sends their cookie to the IDP during Step 2, when the user fetches their account list. This is before any user consent is gathered.
In the most clear attack the IDP operates an independent API for each RP and can then tell by the URL of the request which RP it is associated with. This discloses a (IDP user id, RP) pair to the IDP.
More subtly, the IDP has tuples of (user id, time, client IP address). This can be joined with tuples from the RPs (RP, time, client IP address), to disclose (IDP user id, RP) pairs to the IDP.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4