Gabriel Corona

What about TOTP, [RFC6238](https://tools.ietf.org/html/rfc6238)?

> Only annoying thing is that 90% of tutorials on the internet refer to a google_auth lib (for SSH auth) which is .. ugh I thought the case discussed here...

> "if public client && rar then jar"? @elarlang, The goal here is to protect against modification from the *user*. I don't believe it makes much sense to protect the...

My intent was to talk about backend-side clients i.e. clients which do not execute on the user device but on a backend server: * For clients which executes on the...

> Verify that the user **cannot tamper** with rich authorization request (RAR) authorization_details if the client is not executed on a user device. This can for example be achieved using...

Actually this topic is quite similar to #1964 and we could use the same wording and mitigation for both.

Using the same wording as for #1964: > Verify that the user may not tamper with the 'authorization_details' parameter for clients which are not executed on the user device, for...

I am coming up with: > Verify that for a given server-side client (which is not executed on the user device), the authorization server enforces that the 'authorization_details' parameter is...

Yes maybe, "end-user device".

(I don't believe there are requirements about compression side channels in general and BREACH in particular, are they?)