Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-16.txt

Tue, 06 Oct 2020 07:31:11 -0700 

Hi all,

the most important changes for this version are as follows:

  * New advice: For public clients, nonce is not sufficient to protect
    against authorization code injection. PKCE is now a MUST for public
    clients.
  * We have refined the guidance on using nonce for code injection
    protection, for example if multiple ID tokens are returned
    ("response_type=code id_token").
  * The draft now covers the PKCE Downgrade Attack and countermeasures.
    Authorization servers MUST follow special rules when allowing
    non-PKCE and PKCE flows for the same client.
  * Native apps with a "localhost" redirect URI can be exempt from exact
    redirect URI matching: Port numbers may differ, as in RFC8252,
    Section 7.3.
  * And finally, some clarifications on refresh token
    sender-constraining and mTLS.

-Daniel


Am 05.10.20 um 17:35 schrieb internet-dra...@ietf.org:
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : OAuth 2.0 Security Best Current Practice
>         Authors         : Torsten Lodderstedt
>                           John Bradley
>                           Andrey Labunets
>                           Daniel Fett
>       Filename        : draft-ietf-oauth-security-topics-16.txt
>       Pages           : 50
>       Date            : 2020-10-05
>
> Abstract:
>    This document describes best current security practice for OAuth 2.0.
>    It updates and extends the OAuth 2.0 Security Threat Model to
>    incorporate practical experiences gathered since OAuth 2.0 was
>    published and covers new threats relevant due to the broader
>    application of OAuth 2.0.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>
> There is also an HTML version available at:
> https://www.ietf.org/id/draft-ietf-oauth-security-topics-16.html
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-16
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
https://danielfett.de


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to