Finalizing OAuth 2.0 chapter #1904
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ralph made the changes requested by the reviewers based on their comments/suggestions. Also removed the mapping subsection to clean it up.
jmanico
approved these changes
Mar 17, 2024
5.0/en/0x51-V51-OAuth2.md
Outdated
| @@ -28,16 +28,10 @@ There are various different personas in the OAuth process, described in more det | |||
|
|
|||
| | # | Description | L1 | L2 | L3 | | |||
| | :---: | :--- | :---: | :---: | :---: | | |||
| | **51.3.1** | [ADDED] Verify that Resource Servers are using mechanisms for sender-constraining access tokens to prevent token replay, such as Mutual TLS for OAuth 2.0 or OAuth Demonstration of Proof of Possession (DPoP). | ✓ | ✓ | ✓ | | |||
| | **51.3.1** | [ADDED] Verify Resource Servers implement sender-constrained access token mechanisms to mitigate token replay risks. This is achieved by mandating Mutual TLS for OAuth 2.0 or OAuth Demonstration of Proof of Possession (DPoP), using the client secret provided at client registration. | ✓ | ✓ | ✓ | | |||
There was a problem hiding this comment.
"using the client secret provided"
I think that the use of "client secret" as a client authentication mechanism may pose security risks. Maybe we should consider recommending a secure client authentication mechanism?
There was a problem hiding this comment.
I think is is in response to Jim's point here:
#1804 (comment)
I am going to merge this for now @VinodAnandan but please do feel free to open a separate issue if you think this is still unclear.
tghosth
approved these changes
Mar 17, 2024
5.0/en/0x51-V51-OAuth2.md
Outdated
| @@ -28,16 +28,10 @@ There are various different personas in the OAuth process, described in more det | |||
|
|
|||
| | # | Description | L1 | L2 | L3 | | |||
| | :---: | :--- | :---: | :---: | :---: | | |||
| | **51.3.1** | [ADDED] Verify that Resource Servers are using mechanisms for sender-constraining access tokens to prevent token replay, such as Mutual TLS for OAuth 2.0 or OAuth Demonstration of Proof of Possession (DPoP). | ✓ | ✓ | ✓ | | |||
| | **51.3.1** | [ADDED] Verify Resource Servers implement sender-constrained access token mechanisms to mitigate token replay risks. This is achieved by mandating Mutual TLS for OAuth 2.0 or OAuth Demonstration of Proof of Possession (DPoP), using the client secret provided at client registration. | ✓ | ✓ | ✓ | | |||
There was a problem hiding this comment.
I think is is in response to Jim's point here:
#1804 (comment)
I am going to merge this for now @VinodAnandan but please do feel free to open a separate issue if you think this is still unclear.
tghosth
added a commit
that referenced
this pull request
Mar 17, 2024
… (discussed in #996) * Adding OAuth requirements draft v1 Adding OAuth requirements draft v1 * Cleaning up trimmed OAuth 2.0 requirements Need to add a few more info and references. * Final clean-up and updating of OAuth terminology Final clean-up and updating of OAuth terminology, plus added RFC references. * Trimming down new OAuth 2.0 requirements Trimming down new OAuth 2.0 requirements by removing the Authorization Server pieces. * Minor tweaks to OAuth wording. * Update 0x12-V3-Session-management.md Latest OAuth 2.0 requirements from RFC v24 * Move OAuth from @csfreak92 content to a dedicated chapter * Fix some space issues * Tidying and formatting and numbering changes * More linting fixes * Linting fixes * More linting fixes * Fix chapter levels * category title level and number fix * Other subtle wording changes * Update 0x51-V51-OAuth2 chapter (#1880) * Update 0x51-V51-OAuth2.md Final edits for OAuth 2.0 protocol chapter * Update 0x51-V51-OAuth2.md Cleaning up trailing spaces * Fixing lint errors Changed tabs to spaces to show indentation on the terminology section. * Various tweaks throughout the document --------- Co-authored-by: Josh Grossman <tghosth@users.noreply.github.com> * Finalizing OAuth 2.0 chapter (#1904) * Finalizing OAuth 2.0 chapter Ralph made the changes requested by the reviewers based on their comments/suggestions. Also removed the mapping subsection to clean it up. * Update 0x51-V51-OAuth2.md --------- Co-authored-by: Josh Grossman <tghosth@users.noreply.github.com> --------- Co-authored-by: Ralph Andalis <ralph.andalis92@gmail.com> Co-authored-by: Elar Lang <47597707+elarlang@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ralph made the changes requested by the reviewers based on their comments/suggestions. Also removed the mapping subsection to clean it up.