Merge OAuth chapter into master #1804
Conversation
Adding OAuth requirements draft v1
Need to add a few more info and references.
Final clean-up and updating of OAuth terminology, plus added RFC references.
Trimming down new OAuth 2.0 requirements by removing the Authorization Server pieces.
Latest OAuth 2.0 requirements from RFC v24
|
Note some original comments were raised here: |
|
51.1.5 - I don't think we can/need to require it. It is recommended as one way to do that. 51.4.1 - We can not have requirements for the Resource Owner (end-user). Is a certain flow or grant is accepted/supported, it is the Authorization Server's responsibility to configure it for the OAuth Client. So it belongs to the "Authorization Server" section. This is for a quick fix. But... as I opened a discussion in #996 (comment), maybe we should not list the grants/flows which are not allowed per requirement, but have one requirement to say "Use the PKCE flow and X only, which also means, y z w flows are not allowed." |
|
hi @csfreak92, are you still clear on the remaining feedback that needs to be actioned here. It would be great to get a first draft of this chapter merged into master. |
|
Yes @tghosth, still working on it in my local copy first before pushing a commit. I will push a commit soon around late next week after this week's madness. :) |
* Update 0x51-V51-OAuth2.md Final edits for OAuth 2.0 protocol chapter * Update 0x51-V51-OAuth2.md Cleaning up trailing spaces * Fixing lint errors Changed tabs to spaces to show indentation on the terminology section. * Various tweaks throughout the document --------- Co-authored-by: Josh Grossman <[email protected]>
|
@csfreak92 please do the following:
|
|
I also have one suggestion: For... +| 51.3.1 | [ADDED] Verify that Resource Servers are using mechanisms for sender-constraining access tokens to prevent token replay, such as Mutual TLS for OAuth 2.0 or OAuth Demonstration of Proof of Possession (DPoP). | ✓ | ✓ | ✓ | ... you are supposed to use the same client secret given to the client during registration. This implied it's arbitrary. My edit suggestion is: +| 51.3.1 | [ADDED] "Verify Resource Servers implement sender-constrained access token mechanisms to mitigate token replay risks. This is achieved by mandating Mutual TLS for OAuth 2.0 or OAuth DPoP, using the client secret provided at client registration.". | ✓ | ✓ | ✓ | |
Noted, @jmanico. Just as I mentioned in the other comment, I thought of explicitly calling it out as some people might not think it is implied already, but for brevity I agree with this assessment :) |
Oh sorry Elar, I thought I addressed this already. I will fix it in my new PR that I was asked to open. |
* Finalizing OAuth 2.0 chapter Ralph made the changes requested by the reviewers based on their comments/suggestions. Also removed the mapping subsection to clean it up. * Update 0x51-V51-OAuth2.md --------- Co-authored-by: Josh Grossman <[email protected]>
This Pull Request relates to issue #996.
For now, this is just to monitor the "mergability" of the changes. We won't actually merge this until it has finished the development process.