OWASP
review V51.3.3 and V51.3.4
From the initial OAuth we have requirements:
| # | Description | L1 | L2 | L3 |
|---|---|---|---|---|
| 51.3.3 | [ADDED] Verify that Clients are utilizing the "scope" and "resource" parameters, respectively to determine the resource server they want to access. | ✓ | ✓ | ✓ |
| 51.3.4 | [ADDED] Verify that Clients are utilizing the "scope" and "authorization_details" parameters to determine the related resources and actions the access token are restricted to. | ✓ | ✓ | ✓ |
Additionally to some formating improvements, we need to (re)validate the content, the need, the problem to solve and sections.
Verify that Clients are utilizing the "scope" and "resource" parameters, respectively to determine the resource server they want to access.
"Respectively" does not make sense here, does it?
Moreover, isn't the phrase backwards? I'm not sure I understand what it is we want to say here.
ping @csfreak92 - can you please provide a description of the goal for the mentioned requirements?
I assume, that those requirements are saying: the application must use scope, resource and authorization_details parameters and make authorization decisions based on that.
From that perspective it duplicates general authorization requirements - that the user or service could use only permitted services and functionality from the application.
As we were not able to figure out any other meaning for those, I propose we'll delete them at the moment. If there is actually some other meaning, we can add them back with more clear way.
Now watching it is written to OAuth Client section, then my previous comment is not really valid (as it was written in (the wrong) assumption those requirements apply to the resource server section. That makes those requirements for us more confusing. So the proposal to delete them is valid, but for a different reason.