New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients #160

Open

hickford opened this issue Jul 27, 2023 · 1 comment

hickford commented Jul 27, 2023

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-client-impersonation

The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator.

How about strengthening this for public clients to MUST NOT?

Author

hickford commented Jul 27, 2023 •

edited

Mailing list discussion https://mailarchive.ietf.org/arch/msg/oauth/P3snfqtO2Seb8iAYX8rRRu-16Aw/

Does anyone know why this is only SHOULD NOT? For public clients, how about strengthening it to MUST NOT? How else can the authorization server ensure the request comes from the original client, not an impersonator?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment