Gabriel Corona

Example of Keycloak not checking user consent for UMA grants: https://github.com/keycloak/keycloak/issues/30779#issuecomment-2192706558 :wink:

> With 3.2.5 I addressed (https://github.com/OWASP/ASVS/issues/1815) (in my opinion) this problem - that you can not create a session for the user without user interaction / consent. The 3.2.5 talks...

> A note on terminology: OAuth is not really an authorization framework Well it *is* (still) (in a sense) an authorization framework in the sense that it is about resource...

Wording a requirement on this is not easy because on the one hand consent verification is important but on the other hand some uses cases will require to skip user...

> Is the "interactive" here understandable? Maybe "user-to-machine"? The meaning is not exactly the same but I supposed that would do?

Coming from #2036, I'm adding to the scope of this issue the question of including sufficient information about the content of the `authorization_details` (RAR) in the consent validation.

Yes this is all quite complexe/cumbersome. Could be simplify/merge all these requirements into something like: > Verify that the authorization server does not process user authorization requests without the user...

Or maybe: > Verify that the authorization server mitigates client impersonation by always explicitly asking for user consent in user authorization requests if the identity of the client cannot be...

Here follows an attempt to move part of the requirement outside of the OAuth chapter. General requirement which could be outside of the OAuth chapter: > Verify the any consent...

> I think the second is in addition to the first one, where the first one is suggested "outside of the OAuth chapter". Yes, my intent was to have the...