oauth-v2-1
oauth-v2-1 copied to clipboard
oauth-wg
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
Some flows and extensions work differently from the core authorization code flow, such as PAR and the device flow which start out with a POST request to the authorization server....
Security considerations should be reserved for implementation details
From Vittorio: --- [§7.4.5](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-00#section-7.4.5) Along the same lines of the comments about delegated authorization earlier for §7.2.3. I think it would be useful to acknowledge here that ATs might carry,...
An attacker could pass a client generated parameter that is too long for the server potentially. Should this be mentioned in security considerations, or would that be considered a general...
## This PR obsoletes OAuth 2.0 NB: consider adding other specs obsoleted or updated by this one. Related to #28 cc: @aaronpk
Potential new Security Consideration - Malicious Clients, Consent Phishing, or other appropriate term: As service providers adopt stronger user authentication methods, attackers seek additional means to gain access to resources....
see https://github.com/oauth-wg/oauth-v2-1/commit/673d7f0d501aef6cc1fd0bf38b2436d34d0af8cd#r145092580 and suggest https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1 rather than ref to ABNF
Section 4.1.2.1 Error Response is unclear on how to handle an Invalid Authorization Endpoint request
The first paragraph of **Section 4.1.2.1. Error Response** indicates that the authorization server **SHOULD** inform the resource owner if an invalid or malformed request is attempted but does not indicate...
Clarify `aud` values that should be accepted in `private_key_jwt` at the token (and other) endpoints
There's some unfortunate history around the `aud` value that you use in `private_key_jwt` client authentication assertions. [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523#section-3) says: ``` The JWT MUST contain an "aud" (audience) claim containing a value...
