IdentityServer icon indicating copy to clipboard operation
IdentityServer copied to clipboard

Published 20 hours ago verified publisher icon DuendeSoftware

OAuth 2.1

Open leastprivilege opened this issue 3 years ago • 5 comments

Once the OAuth 2.1 spec is out - what can we do to help consumers to stay within the recommended parameters?

  • using OAuth implicit flow
  • one-time refresh tokens for public clients
  • code flow without PKCE
  • usage of password grant

warnings? errors? global switch?

leastprivilege avatar Mar 12 '21 07:03 leastprivilege

Maybe even the default mode.

brockallen avatar Mar 12 '21 13:03 brockallen

Do you plan to remove these features in a future release to be compliant with the new spec ?

Julien-Marpault avatar Sep 14 '22 09:09 Julien-Marpault

no

leastprivilege avatar Sep 14 '22 13:09 leastprivilege

Possibly can be done as a config validator? Look into it (and maybe just emit warning logs).

brockallen avatar Jan 10 '23 15:01 brockallen

We will re-review this during the 7.1 timeframe.

brockallen avatar Oct 09 '23 14:10 brockallen