-
-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 - OAuth - confidential client #2109
Comments
I believe the idea here is that that some authorization server implementations could assume that presenting the refresh token is enough for refreshing the token (as presenting the access token is enough for using the service). This is requirement is indeed valid for all requests to the token endpoint. A more precise wording of this requirement could be something like: ”Verify that, for using refresh tokens emitted to a confidential client, the authorization server requires authentication of this client.“ |
My point is - can you use confidential client without authentication for the token endpoint?
but asking the refresh token with token request? |
It should not be possible, but not all AS implementations follows the RFC which states that confidential clients must be authenticated, both when using refresh-tokens, authorization codes or client-credentials. This is important for a secure OAuth implementation, but perhaps not a widespread issue, except if using a custom built AS or flow (not "well-known industry standard"). Still, I think it is a good level 1 requirement for ASVS. It could also me written to not just focus on refresh-tokens, like this
There is no conflict with public clients, since the requirement only applies to confidential clients. |
Ok, the definition says "capable of", not doing so https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
So from that perspective it makes sense. Should we add "authorization server" in the requirement?
|
At the moment it goes to the document as:
|
Coming from #2042, should we extend this to include other backend requests (such as PAR, token revocation, token introspection). Something in the line:
|
Update - from "all confidential clients" to "confidential client"
|
Spin-off from #2040 (comment)
Isn't it the point for confidential client to use client authentication?
If we require it from Level 1 from confidential client but allow public clients without any restrictions, I would say there is a conflict.
Is it required only for refresh token request or to any request to token endpoint?
The text was updated successfully, but these errors were encountered: