OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard

Published 20 hours ago verified publisher icon openid

Improve references to security BCP

Open danielfett opened this issue 10 months ago • 0 comments

The draft in Sections 5 and 6 refers to the security BCP:

The Authorization Endpoint is used in the same manner as defined in [RFC6749], taking into account the recommendations given in [I-D.ietf-oauth-security-topics].

The Token Endpoint issues an Access Token and, optionally, a Refresh Token in exchange for the Authorization Code that Client obtained in a successful Authorization Response. It is used in the same manner as defined in [RFC6749] and follows the recommendations given in [I-D.ietf-oauth-security-topics].

This wording is misleading, as not all protections mentioned in the BCP are mentioned here (e.g., PKCE is only implied in Section 6; the PKCE downgrade attack mitigation is not mentioned).

This may lead to implementers not implementing necessary security mechanisms.

danielfett avatar Apr 05 '24 14:04 danielfett