Ralph Andalis

@jmanico, would you like me to draft a proposal for OAuth2 dedicated section? I believe that also deals with the original issue I opened here.

Sounds good, let me thoroughly read it and then draft something soon (might be a bit later). :)

Just an update. I'm still actively working on this over spare time, please do not close the issue.

+1 on this requirement, I actually saw a badly designed/implemented app where the whole API is sending everything to the front-end to make the application's response "faster" but it ended...

+1 on this, I totally agree we should suggest mTLS. We usually see this in security and architecture reviews that most setups do not have mTLS for intra-service communications.

Hi @tghosth, I can give it a shot. Please assign to me this issue. Also, are we just suggesting this for Level 3? Wouldn't it make more sense for Level...

Hey @elarlang, is this scenario only dealing with SSO specifically? If yes, then how about, `Verify that SSO auto-logins are disabled for extended periods of user session and forces the...

@elarlang, I like the last one you have, just wondering if requiring the user's consent or was it an action like clicking a button that we want a user to...

@tghosth, @jmanico, as promised here is my initial draft for the OAuth requirements (with some references to OpenID Connect) as I have derived from the RFC: (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics). I still need...

@elarlang, yeah I do agree that 18 requirements for one topic is quite too much, honestly. I have this dilemma too, but there's another dilemma if I will cut them...