Pitch
In order to further securing OAuth flows for Mastodon, once we have PKCE (#30329) implemented, we should consider supporting RFC 9207 which adds an iss response parameter to the OAuth authorization code redirect, allowing clients to safely assert that the code comes from the authorization server that they believe they're interacting with.
Motivation
At present, applications either don't do such an assertion that they've been redirected back from the same authorization server, or they rely on some form of cookie and referrer tracking. This provides a first party mechanism for verification.
Arguably, what this guards against is protected by PKCE as far as I can tell, but it'd also allow clients to not acccidentally exchange the code + challenge_verifier with a malicious Authorization Server accidentally (e.g., session mix up leads to the state not fully matching)
Pitch
In order to further securing OAuth flows for Mastodon, once we have PKCE (#30329) implemented, we should consider supporting RFC 9207 which adds an
issresponse parameter to the OAuth authorization code redirect, allowing clients to safely assert that the code comes from the authorization server that they believe they're interacting with.Motivation
At present, applications either don't do such an assertion that they've been redirected back from the same authorization server, or they rely on some form of cookie and referrer tracking. This provides a first party mechanism for verification.
Arguably, what this guards against is protected by PKCE as far as I can tell, but it'd also allow clients to not acccidentally exchange the code + challenge_verifier with a malicious Authorization Server accidentally (e.g., session mix up leads to the state not fully matching)